Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (882)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-49820 1Ibm 1Security Guardium Key Lifecycle Manager Jan 10, 2025 Dec 17, 2024 N/A· v4 3.7 LOW· v3 N/A· v2 IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker...Show more IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.Show less
CVE-2024-49819 1Ibm 1Security Guardium Key Lifecycle Manager Jan 10, 2025 Dec 17, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.
CVE-2024-53246 1Splunk 2Splunk Splunk Cloud Platform Mar 10, 2025 Dec 10, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.3.2408.101, 9.2.2406.106, 9.2.2403.111, and 9.1.2312.206, an SPL command can potentially disclose sensitive informati...Show more In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.3.2408.101, 9.2.2406.106, 9.2.2403.111, and 9.1.2312.206, an SPL command can potentially disclose sensitive information. The vulnerability requires the exploitation of another vulnerability, such as a Risky Commands Bypass, for successful exploitation.Show less
CVE-2024-47577 - - Dec 10, 2024 Dec 10, 2024 N/A· v4 2.7 LOW· v3 N/A· v2 Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes c...Show more Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.Show less
CVE-2024-6515 1Abb 19Aspect Ent 12 Firmware Aspect Ent 256 FirmwareAspect Ent 2 Firmware+16 more Feb 27, 2025 Dec 5, 2024 8.7 HIGH· v4 8.1 HIGH· v3 N/A· v2 Web browser interface may manipulate application username/password in clear text or Base64 encoding providing a higher probability of unintended credentails exposure. Affected products: ABB ASPECT - Enterprise v3.08....Show more Web browser interface may manipulate application username/password in clear text or Base64 encoding providing a higher probability of unintended credentails exposure. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02Show less
CVE-2021-29892 1Ibm 1Cognos Controller Dec 11, 2024 Dec 3, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 IBM Cognos Controller 11.0.0 and 11.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability...Show more IBM Cognos Controller 11.0.0 and 11.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.Show less
CVE-2024-9834 - - Nov 15, 2024 Nov 14, 2024 N/A· v4 9.3 CRITICAL· v3 N/A· v2 Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings a...Show more Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance.Show less
CVE-2024-28169 - - Nov 15, 2024 Nov 13, 2024 4.3 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 Cleartext transmission of sensitive information for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable denial of service via adjacent access.
CVE-2024-43432 1Moodle 1Moodle May 1, 2025 Nov 11, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintent...Show more A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.Show less
CVE-2024-50634 1Sbond 1Watcharr Nov 14, 2024 Nov 8, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability in a weak JWT token in Watcharr v1.43.0 and below allows attackers to perform privilege escalation using a crafted JWT token. This vulnerability is not limited to privilege escalation but also affects all...Show more A vulnerability in a weak JWT token in Watcharr v1.43.0 and below allows attackers to perform privilege escalation using a crafted JWT token. This vulnerability is not limited to privilege escalation but also affects all functions that require authentication.Show less
CVE-2024-32946 1Level1 1Wbr 6012 Firmware Nov 21, 2024 Oct 30, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 A vulnerability in the LevelOne WBR-6012 router's firmware version R0.40e6 allows sensitive information to be transmitted in cleartext via Web and FTP services, exposing it to network sniffing attacks.
CVE-2024-8013 1Mongodb 2Mongo Crypt V1.so Mongocryptd Oct 31, 2024 Oct 28, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this o...Show more A bug in query analysis of certain complex self-referential $lookup subpipelines may result in literal values in expressions for encrypted fields to be sent to the server as plaintext instead of ciphertext. Should this occur, no documents would be returned or written. This issue affects mongocryptd binary (v5.0 versions prior to 5.0.29, v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) and mongo_crypt_v1.so shared libraries (v6.0 versions prior to 6.0.17, v7.0 versions prior to 7.0.12 and v7.3 versions prior to 7.3.4) released alongside MongoDB Enterprise Server versions.Show less
CVE-2024-50624 - - May 31, 2025 Oct 28, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://...Show more ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard.Show less
CVE-2024-40595 - - Oct 25, 2024 Oct 24, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileg...Show more An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext RDP protocol information.Show less
CVE-2024-40090 1Viloliving 1Vilo 5 Firmware Jul 7, 2025 Oct 21, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Information Disclosure. An information leak in the Boa webserver allows remote, unauthenticated attackers to leak memory addresses of uClibc and the stack via sending...Show more Vilo 5 Mesh WiFi System <= 5.16.1.33 is vulnerable to Information Disclosure. An information leak in the Boa webserver allows remote, unauthenticated attackers to leak memory addresses of uClibc and the stack via sending a GET request to the index page.Show less
CVE-2024-49387 1Acronis 1Cyber Protect Feb 4, 2025 Oct 15, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Cleartext transmission of sensitive information in acep-collector service. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.
CVE-2024-48788 - - Oct 15, 2024 Oct 11, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in YESCAM (com.yescom.YesCam.zwave) 1.0.2 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2024-47833 1Avaiga 1Taipy Oct 16, 2024 Oct 9, 2024 6.3 MEDIUM· v4 6.5 MEDIUM· v3 N/A· v2 Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. T...Show more Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2024-9620 - - Oct 10, 2024 Oct 8, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerability by sniffing the pl...Show more A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerability by sniffing the plaintext data transmitted between the EDA and AAP. An attacker with system access could exploit this vulnerability by reading the plaintext data stored in EDA and AAP databases.Show less
CVE-2024-47789 - - Oct 14, 2024 Oct 4, 2024 8.7 HIGH· v4 N/A· v3 N/A· v2 UNSUPPORTED WHEN ASSIGNED This vulnerability exists in D3D Security IP Camera D8801 due to usage of weak authentication scheme of the HTTP header protocol where authorization tag contain a Base-64 encoded username...Show more UNSUPPORTED WHEN ASSIGNED This vulnerability exists in D3D Security IP Camera D8801 due to usage of weak authentication scheme of the HTTP header protocol where authorization tag contain a Base-64 encoded username and password. A remote attacker could exploit this vulnerability by crafting a HTTP packet leading to exposure of user credentials of the targeted device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.Show less

Previous 1...101112...45 Next