Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (882)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-7731 - - Sep 2, 2025 Sep 1, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLM...Show more Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLMP communication messages, and read or write the device values of the product and stop the operations of programs by using the obtained credential information.Show less
CVE-2025-31972 1Hcltech 1Bigfix Service Management Oct 29, 2025 Aug 28, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between int...Show more HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between internal components.Show less
CVE-2025-52351 - - Aug 22, 2025 Aug 21, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Aikaan IoT management platform v3.25.0325-5-g2e9c59796 sends a newly generated password to users in plaintext via email and also includes the same password as a query parameter in the account activation URL (e.g., https:...Show more Aikaan IoT management platform v3.25.0325-5-g2e9c59796 sends a newly generated password to users in plaintext via email and also includes the same password as a query parameter in the account activation URL (e.g., https://domain.com/activate=xyz). This practice can result in password exposure via browser history, proxy logs, referrer headers, and email caching. The vulnerability impacts user credential confidentiality during initial onboarding.Show less
CVE-2025-6180 - - Aug 22, 2025 Aug 20, 2025 8.5 HIGH· v4 N/A· v3 N/A· v2 The StrongDM Client insufficiently protected a pre-authentication token. Attackers could exploit this to intercept and reuse the token, potentially redeeming valid authentication credentials through a race condition.
CVE-2025-57727 1Jetbrains 1Intellij Idea Aug 21, 2025 Aug 20, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference
CVE-2025-54156 1Santesoft 1Sante Pacs Server Oct 17, 2025 Aug 18, 2025 9.1 CRITICAL· v4 7.5 HIGH· v3 N/A· v2 The Sante PACS Server Web Portal sends credential information without encryption.
CVE-2025-8863 - - Aug 11, 2025 Aug 11, 2025 7.0 HIGH· v4 N/A· v3 N/A· v2 YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission
CVE-2025-8741 1Macrozheng 1Mall Apr 29, 2026 Aug 8, 2025 2.9 LOW· v4 5.9 MEDIUM· v3 2.6 LOW· v2 A vulnerability was found in macrozheng mall up to 1.0.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/login. The manipulation leads to cleartext tran...Show more A vulnerability was found in macrozheng mall up to 1.0.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/login. The manipulation leads to cleartext transmission of sensitive information. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-52586 - - Sep 8, 2025 Aug 8, 2025 7.5 HIGH· v4 6.9 MEDIUM· v3 N/A· v2 The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to in...Show more The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings.Show less
CVE-2025-54799 - - Aug 7, 2025 Aug 7, 2025 2.3 LOW· v4 N/A· v3 N/A· v2 Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking...Show more Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2.Show less
CVE-2025-36020 1Ibm 1Guardium Data Protection Aug 13, 2025 Aug 6, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Guardium Data Protection could allow a remote attacker to obtain sensitive information due to cleartext transmission of sensitive credential information.
CVE-2025-52490 1Couchbase 1Sync Gateway Aug 6, 2025 Jul 29, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output.
CVE-2025-8205 1Comodo 1Dragon Apr 29, 2026 Jul 26, 2025 2.9 LOW· v4 3.7 LOW· v3 2.6 LOW· v2 A vulnerability, which was classified as problematic, has been found in Comodo Dragon up to 134.0.6998.179. Affected by this issue is some unknown functionality of the component IP DNS Leakage Detector. The manipulation...Show more A vulnerability, which was classified as problematic, has been found in Comodo Dragon up to 134.0.6998.179. Affected by this issue is some unknown functionality of the component IP DNS Leakage Detector. The manipulation leads to cleartext transmission of sensitive information. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-0252 1Hcltech 1Intelliops Event Management Oct 9, 2025 Jul 25, 2025 N/A· v4 4.8 MEDIUM· v3 N/A· v2 HCL IEM is affected by a password in cleartext vulnerability. Sensitive information is transmitted without adequate protection, potentially exposing it to unauthorized access during transit.
CVE-2025-0250 1Hcltech 1Intelliops Event Management Oct 9, 2025 Jul 25, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 HCL IEM is affected by an authorization token sent in cookie vulnerability. A token used for authentication and authorization is being handled in a manner that may increase its exposure to security risks.
CVE-2025-53703 - - Jul 25, 2025 Jul 22, 2025 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers.
CVE-2025-36107 1Ibm 1Cognos Analytics Mobile Aug 7, 2025 Jul 21, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to obtain sensitive information due to the cleartext transmission of data.
CVE-2025-2818 - - Jul 17, 2025 Jul 17, 2025 5.1 MEDIUM· v4 3.5 LOW· v3 N/A· v2 A vulnerability was reported in version 1.0 of the Bluetooth Transmission Alliance protocol adopted by Motorola Smart Connect Android Application that could allow a nearby attacker within the Bluetooth interaction range...Show more A vulnerability was reported in version 1.0 of the Bluetooth Transmission Alliance protocol adopted by Motorola Smart Connect Android Application that could allow a nearby attacker within the Bluetooth interaction range to intercept files when transferred to a device not paired in Smart Connect.Show less
CVE-2025-53756 - - Jul 16, 2025 Jul 16, 2025 8.7 HIGH· v4 N/A· v3 N/A· v2 This vulnerability exists in Digisol DG-GR6821AC Router due to cleartext transmission of credentials in its web management interface. A remote attacker could exploit this vulnerability by intercepting the network traffic...Show more This vulnerability exists in Digisol DG-GR6821AC Router due to cleartext transmission of credentials in its web management interface. A remote attacker could exploit this vulnerability by intercepting the network traffic and capturing cleartext credentials. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted device.Show less
CVE-2025-53861 1Redhat 1Ansible Automation Platform Aug 11, 2025 Jul 11, 2025 N/A· v4 3.1 LOW· v3 N/A· v2 A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to read transmitted data.

Previous 1...678...45 Next