Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 456 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-4497 1 Ibm 1 Spectrum Protect Plus 2022-12-20 N/A 5.9 MEDIUM
IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques. IBM X-Force ID: 182106.
CVE-2020-9420 1 Arcadyan 2 Vrv9506jac23, Vrv9506jac23 Firmware 2022-12-16 N/A 6.5 MEDIUM
The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.
CVE-2022-43724 1 Siemens 2 Sicam Pas, Sicam Pqs 2022-12-15 N/A 9.8 CRITICAL
A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmdshell feature unauthenticated remote attackers could execute custom OS commands. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.
CVE-2022-4409 1 Phpmyfaq 1 Phpmyfaq 2022-12-13 N/A 7.5 HIGH
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
CVE-2022-40939 1 Secu 2 Secustation, Secustation Firmware 2022-12-13 N/A 4.9 MEDIUM
In certain Secustation products the administrator account password can be read. This affects V2.5.5.3116-S50-SMA-B20171107A, V2.3.4.1301-M20-TSA-B20150617A, V2.5.5.3116-S50-RXA-B20180502A, V2.5.5.3116-S50-SMA-B20190723A, V2.5.5.3116-S50-SMB-B20161012A, V2.3.4.2103-S50-NTD-B20170508B, V2.5.5.3116-S50-SMB-B20160601A, V2.5.5.2601-S50-TSA-B20151229A, and V2.5.5.3116-S50-SMA-B20170217.
CVE-2022-46685 1 Gitea 1 Gitea 2022-12-12 N/A 4.3 MEDIUM
In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.
CVE-2019-4280 1 Ibm 1 Sterling File Gateway 2022-12-09 5.0 MEDIUM 5.3 MEDIUM
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 displays sensitive information in HTTP requests which could be used in further attacks against the system. IBM X-Force ID: 160503.
CVE-2022-45478 1 Telepad-app 1 Telepad 2022-12-08 N/A 5.9 MEDIUM
Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-45480 1 Beappsmobile 1 Pc Keyboard Wifi \& Bluetooth 2022-12-05 N/A 5.9 MEDIUM
PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-45483 1 Lazy Mouse Project 1 Lazy Mouse 2022-12-05 N/A 5.9 MEDIUM
Lazy Mouse allows an attacker (in a man in the middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-39339 1 Nextcloud 1 Openid Connect User Backend 2022-12-01 N/A 4.3 MEDIUM
user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).
CVE-2022-44411 1 Web Based Quiz System Project 1 Web Based Quiz System 2022-11-29 N/A 7.5 HIGH
Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack.
CVE-2022-43691 1 Concretecms 1 Concrete Cms 2022-11-17 N/A 5.3 MEDIUM
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.
CVE-2021-38828 1 Xiongmaitech 2 Xm-jpr2-lx, Xm-jpr2-lx Firmware 2022-11-16 N/A 5.3 MEDIUM
Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000 is vulnerable to plain-text traffic sniffing.
CVE-2022-38122 1 Upspowercom 1 Upsmon Pro 2022-11-15 N/A 7.5 HIGH
UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. An unauthenticated remote attacker can exploit this vulnerability to access sensitive data.
CVE-2021-45447 1 Hitachi 1 Vantara Pentaho 2022-11-04 N/A 7.5 HIGH
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. The transmission of sensitive data in clear text allows unauthorized actors with access to the network to sniff and obtain sensitive information that can be later used to gain unauthorized access.
CVE-2022-41636 1 Haascnc 1 Haas Controller 2022-11-01 N/A 7.5 HIGH
Communication traffic involving "Ethernet Q Commands" service of Haas Controller version 100.20.000.1110 is transmitted in cleartext. This allows an attacker to obtain sensitive information being passed to and from the controller.
CVE-2021-39272 2 Fedoraproject, Fetchmail 2 Fedora, Fetchmail 2022-10-28 4.3 MEDIUM 5.9 MEDIUM
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
CVE-2021-44518 1 Digipas 1 Egeetouch Manager 2022-10-27 2.9 LOW 6.8 MEDIUM
An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock's power button, and must be able to capture BLE network communication.
CVE-2021-3774 1 Meross 2 Mss550x, Mss550x Firmware 2022-10-27 4.3 MEDIUM 6.5 MEDIUM
Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request.