Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 456 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-27619 1 Synology 1 Note Station 2022-08-09 N/A 5.9 MEDIUM
Cleartext transmission of sensitive information vulnerability in authentication management in Synology Note Station Client before 2.2.2-609 allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.
CVE-2022-31204 1 Omron 15 Cp1w-cif41, Cp1w-cif41 Firmware, Cx-programmer and 12 more 2022-08-04 N/A 7.5 HIGH
Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext.
CVE-2022-28861 2 Axis, Citilog 2 M1125, Citilog 2022-07-29 N/A 5.9 MEDIUM
The server in Citilog 8.0 allows an attacker (in a man in the middle position between the server and its smart camera Axis M1125) to see FTP credentials in a cleartext HTTP traffic. These can be used for FTP access to the server.
CVE-2021-27574 1 Remotemouse 1 Emote Remote Mouse 2022-07-12 6.8 MEDIUM 8.1 HIGH
An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings.
CVE-2021-36382 1 Devolutions 1 Devolutions Server 2022-07-12 4.3 MEDIUM 3.7 LOW
Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts cleartext).
CVE-2021-20623 1 Panasonic 1 Video Insight Vms 2022-07-12 10.0 HIGH 9.8 CRITICAL
Video Insight VMS versions prior to 7.8 allows a remote attacker to execute arbitrary code with the system user privilege by sending a specially crafted request.
CVE-2020-27184 1 Moxa 6 Nport Ia5150a, Nport Ia5150a Firmware, Nport Ia5250a and 3 more 2022-07-12 4.3 MEDIUM 5.9 MEDIUM
The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
CVE-2021-36165 1 Riconmobile 2 S9922l, S9922l Firmware 2022-07-12 5.0 MEDIUM 5.3 MEDIUM
RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64.
CVE-2020-4980 2 Ibm, Linux 2 Qradar Security Information And Event Manager, Linux Kernel 2022-07-12 3.3 LOW 6.5 MEDIUM
IBM QRadar SIEM 7.3 and 7.4 uses less secure methods for protecting data in transit between hosts when encrypt host connections is not enabled as well as data at rest. IBM X-Force ID: 192539.
CVE-2021-39026 1 Ibm 1 Guardium Data Encryption 2022-07-12 4.3 MEDIUM 5.9 MEDIUM
IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 213964.
CVE-2021-27569 1 Remotemouse 1 Emote Remote Mouse 2022-07-12 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and is not protected by any authentication logic.
CVE-2021-45735 1 Totolink 2 X5000r, X5000r Firmware 2022-07-12 5.0 MEDIUM 7.5 HIGH
TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing attackers to intercept user credentials via packet capture software.
CVE-2021-34825 2 Fedoraproject, Quassel-irc 2 Fedora, Quassel 2022-07-12 4.3 MEDIUM 7.5 HIGH
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-45104 1 Wisc 1 Htcondor 2022-07-12 5.8 MEDIUM 7.4 HIGH
An issue was discovered in HTCondor 9.0.x before 9.0.10 and 9.1.x before 9.5.1. An attacker who can capture HTCondor network data can interfere with users' jobs and data.
CVE-2021-38142 1 Barco 1 Mirrorop Windows Sender 2022-07-12 7.2 HIGH 8.8 HIGH
Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS).
CVE-2020-4970 1 Ibm 1 Security Identity Manager 2022-07-12 4.3 MEDIUM 5.9 MEDIUM
IBM Security Identity Governance and Intelligence 5.2.4, 5.2.5, and 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 192429.
CVE-2021-44480 1 Wokkalokka 2 Wokka Watch Q50, Wokka Watch Q50 Firmware 2022-07-12 9.3 HIGH 8.1 HIGH
Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who know the SIM phone number and password) to listen to a device's surroundings via a callback in an SMS command, as demonstrated by the 123456 and 523681 default passwords.
CVE-2022-29519 1 Yokogawa 4 Stardom Fcj, Stardom Fcj Firmware, Stardom Fcn and 1 more 2022-07-08 7.9 HIGH 7.5 HIGH
Cleartext transmission of sensitive information vulnerability exists in STARDOM FCN Controller and FCJ Controller R1.01 to R4.31, which may allow an adjacent attacker to login the affected products and alter device configuration settings or tamper with device firmware.
CVE-2017-20109 1 Calabrio 1 Teleopti Workforce Management 2022-07-07 4.0 MEDIUM 6.5 MEDIUM
A vulnerability classified as problematic was found in Teleopti WFM up to 7.1.0. Affected by this vulnerability is an unknown functionality of the file /TeleoptiWFM/Administration/GetOneTenant of the component Administration. The manipulation leads to information disclosure (Credentials). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
CVE-2022-21829 1 Concretecms 1 Concrete Cms 2022-07-05 7.5 HIGH 9.8 CRITICAL
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520.