Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-319
Total 456 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-37939 1 Elastic 1 Kibana 2021-11-23 4.0 MEDIUM 2.7 LOW
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
CVE-2021-3792 1 Binatoneglobal 42 Cn28, Cn28 Firmware, Cn40 and 39 more 2021-11-16 5.0 MEDIUM 5.3 MEDIUM
Some device communications in some Motorola-branded Binatone Hubble Cameras with backend Hubble services are not encrypted which could lead to the communication channel being accessible by an attacker.
CVE-2020-4152 1 Ibm 1 Qradar Network Security 2021-11-09 4.3 MEDIUM 5.9 MEDIUM
IBM QRadar Network Security 5.4.0 and 5.5.0 transmits sensitive or security-critical data in cleartext in a communication channel that can be obtained using man in the middle techniques. IBM X-Force ID: 17467.
CVE-2021-42699 1 Azeotech 1 Daqfactory 2021-11-09 4.3 MEDIUM 5.9 MEDIUM
The affected product is vulnerable to cookie information being transmitted as cleartext over HTTP. An attacker can capture network traffic, obtain the user’s cookie and take over the account.
CVE-2021-29753 1 Ibm 2 Business Automation Workflow, Business Process Manager 2021-11-09 4.3 MEDIUM 5.9 MEDIUM
IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CVE-2020-7483 2 Microsoft, Schneider-electric 4 Windows 7, Windows Nt, Windows Xp and 1 more 2021-11-08 5.0 MEDIUM 7.5 HIGH
**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause certain data to be visible on the network when the 'password' feature is enabled. This vulnerability was discovered in and remediated in versions v4.9.1 and v4.10.1 on May 30, 2013. The 'password' feature is an additional optional check performed by TS1131 that it is connected to a specific controller. This data is sent as clear text and is visible on the network. This feature is not present in TriStation 1131 versions v4.9.1 and v4.10.1 through current. Therefore, the vulnerability is not present in these versions.
CVE-2021-38418 1 Deltaww 1 Dialink 2021-11-05 4.3 MEDIUM 5.9 MEDIUM
Delta Electronics DIALink versions 1.2.4.0 and prior runs by default on HTTP, which may allow an attacker to be positioned between the traffic and perform a machine-in-the-middle attack to access information without authorization.
CVE-2019-6526 1 Moxa 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more 2021-11-03 5.0 MEDIUM 9.8 CRITICAL
Moxa IKS-G6824A series Versions 4.5 and prior, EDS-405A series Version 3.8 and prior, EDS-408A series Version 3.8 and prior, and EDS-510A series Version 3.8 and prior use plaintext transmission of sensitive data, which may allow an attacker to capture sensitive data such as an administrative password.
CVE-2019-6540 1 Medtronic 46 Amplia Crt-d, Amplia Crt-d Firmware, Carelink 2090 and 43 more 2021-11-03 3.3 LOW 6.5 MEDIUM
The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.
CVE-2019-19107 2 Abb, Busch-jaeger 4 Tg\/s3.2, Tg\/s3.2 Firmware, 6186\/11 and 1 more 2021-11-03 2.1 LOW 5.5 MEDIUM
The Configuration pages in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway for user profiles and services transfer the password in plaintext (although hidden when displayed).
CVE-2019-5448 1 Yarnpkg 1 Yarn 2021-11-03 4.3 MEDIUM 8.1 HIGH
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
CVE-2019-3801 1 Cloudfoundry 3 Cf-deployment, Credhub, Uaa Release 2021-10-29 5.0 MEDIUM 9.8 CRITICAL
Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.
CVE-2019-10240 1 Eclipse 1 Hawkbit 2021-10-28 6.8 MEDIUM 8.1 HIGH
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.
CVE-2019-16545 1 Qmetry 1 Jenkins Qmetry For Jira 2021-10-28 4.0 MEDIUM 6.5 MEDIUM
Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.
CVE-2019-10397 1 Jenkins 1 Aqua Security Severless Scanner 2021-10-28 2.6 LOW 3.1 LOW
Jenkins Aqua Security Serverless Scanner Plugin 1.0.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure.
CVE-2021-0296 1 Juniper 1 Ctpview 2021-10-25 5.8 MEDIUM 7.4 HIGH
The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served over HTTPS. The lack of HSTS may leave the system vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue affects Juniper Networks CTPView: 7.3 versions prior to 7.3R7; 9.1 versions prior to 9.1R3.
CVE-2021-39882 1 Gitlab 1 Gitlab 2021-10-12 5.0 MEDIUM 5.3 MEDIUM
In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.
CVE-2021-40847 1 Netgear 22 R6400v2, R6400v2 Firmware, R6700 and 19 more 2021-10-07 9.3 HIGH 8.1 HIGH
The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.
CVE-2020-20128 1 Laracms Project 1 Laracms 2021-10-02 5.0 MEDIUM 7.5 HIGH
LaraCMS v1.0.1 transmits sensitive information in cleartext which can be intercepted by attackers.
CVE-2020-1902 1 Whatsapp 2 Whatsapp, Whatsapp Business 2021-09-14 5.0 MEDIUM 7.5 HIGH
A user running a quick search on a highly forwarded message on WhatsApp for Android from v2.20.108 to v2.20.140 or WhatsApp Business for Android from v2.20.35 to v2.20.49 could have been sent to the Google service over plain HTTP.