Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 456 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-18908 1 Sky 1 Sky Go 2019-10-02 4.3 MEDIUM 5.9 MEDIUM
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requests contain potentially sensitive information that could be useful to an attacker, such as the victim's Sky username.
CVE-2018-18071 1 Mercedes-benz 1 Mercedes Me 2019-10-02 5.0 MEDIUM 7.5 HIGH
An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 for iOS. The encrypted Connected Vehicle API data exchange between the app and a server might be intercepted. The app can be used to operate the Remote Parking Pilot, unlock the vehicle, or obtain sensitive information such as latitude, longitude, and direction of travel.
CVE-2018-7246 1 Schneider-electric 11 66074 Mge Network Management Card Transverse, Mge Comet Ups, Mge Eps 6000 and 8 more 2019-10-02 5.0 MEDIUM 9.8 CRITICAL
A cleartext transmission of sensitive information vulnerability exists in Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. he integrated web server (Port 80/443/TCP) of the affected devices could allow remote attackers to discover an administrative account. If default on device, it is not using a SSL in settings and if multiple request of the page "Access Control" (IP-address device/ups/pas_cont.htm) account data will be sent in cleartext
CVE-2018-7298 1 Eq-3 2 Homematic Central Control Unit Ccu2, Homematic Central Control Unit Ccu2 Firmware 2019-10-02 9.3 HIGH 8.1 HIGH
In /usr/local/etc/config/addons/mh/loopupd.sh on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. An attacker with a privileged network position (which could be obtained via DNS spoofing of www.meine-homematic.de or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates to the CCU2. This can result in a full system compromise.
CVE-2018-15752 1 Mensamax 1 Mensamax 2019-10-02 4.3 MEDIUM 8.1 HIGH
An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. Cleartext Transmission of Sensitive Information allows man-in-the-middle attackers to eavesdrop authentication information between the application and the server.
CVE-2018-7960 1 Huawei 2 Espace 7950, Espace 7950 Firmware 2019-10-02 5.8 MEDIUM 7.4 HIGH
There is a SRTP icon display vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to intercept the packets in non-secure transmission mode. Successful exploitation may intercept and tamper with the call information, eventually cause sensitive information leak.
CVE-2018-14627 1 Redhat 1 Wildfly 2019-10-02 4.3 MEDIUM 5.9 MEDIUM
The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/>
CVE-2018-1360 1 Fortinet 1 Fortimanager 2019-10-02 4.3 MEDIUM 8.1 HIGH
A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 may allow an unauthenticated attacker in a man in the middle position to retrieve the admin password via intercepting REST API JSON responses.
CVE-2018-13140 3 Druide, Linux, Microsoft 3 Antidote 9, Linux Kernel, Windows 2019-10-02 9.3 HIGH 8.1 HIGH
Druide Antidote through 9.5.1 on Windows and Linux allows remote code execution through the update mechanism by leveraging use of HTTP to download installation packages.
CVE-2018-1297 1 Apache 1 Jmeter 2019-10-02 7.5 HIGH 9.8 CRITICAL
When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.
CVE-2018-12710 1 D-link 2 Dir-601, Dir-601 Firmware 2019-10-02 2.7 LOW 8.0 HIGH
An issue was discovered on D-Link DIR-601 2.02NA devices. Being local to the network and having only "User" account (which is a low privilege account) access, an attacker can intercept the response from a POST request to obtain "Admin" rights due to the admin password being displayed in XML.
CVE-2018-12674 1 Sv3c 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more 2019-10-02 2.9 LOW 5.7 MEDIUM
The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) stores the username and password within the cookies of a session. If an attacker gained access to these session cookies, it would be possible to gain access to the username and password of the logged-in account.
CVE-2018-11477 1 Vgate 2 Icar 2 Wi-fi Obd2, Icar 2 Wi-fi Obd2 Firmware 2019-10-02 3.3 LOW 6.5 MEDIUM
An issue was discovered on Vgate iCar 2 Wi-Fi OBD2 Dongle devices. The data packets that are sent between the iOS or Android application and the OBD dongle are not encrypted. The combination of this vulnerability with the lack of wireless network protection exposes all transferred car data to the public.
CVE-2018-11402 1 Simplisafe 2 U9k-kp1000, U9k-kp1000 Firmware 2019-10-02 1.9 LOW 6.6 MEDIUM
SimpliSafe Original has Unencrypted Keypad Transmissions, which allows physically proximate attackers to discover the PIN.
CVE-2018-11399 1 Simplisafe 8 U9k-es1000, U9k-es1000 Firmware, U9k-kr1 and 5 more 2019-10-02 1.9 LOW 4.3 MEDIUM
SimpliSafe Original has Unencrypted Sensor Transmissions, which allows physically proximate attackers to obtain potentially sensitive information about the specific times when alarm-system events occur.
CVE-2018-11338 1 Intuit 1 Lacerte 2019-10-02 5.0 MEDIUM 7.5 HIGH
Intuit Lacerte 2017 for Windows in a client/server environment transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer list contains each customer's full name, social security number (SSN), address, job title, phone number, Email address, spouse's phone/Email address, and other sensitive information. After the client software authenticates to the server database, the server sends the customer list. There is no need for further exploitation as all sensitive data is exposed. This vulnerability was validated on Intuit Lacerte 2017, however older versions of Lacerte may be vulnerable.