Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (882)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-5631 - - Nov 21, 2024 Jul 9, 2024 6.0 MEDIUM· v4 N/A· v3 N/A· v2 Longse NVR (Network Video Recorder) model NVR3608PGE2W, as well as products based on this device, are transmitting user's login and password to a remote control service without using any encryption. This enables an on-pa...Show more Longse NVR (Network Video Recorder) model NVR3608PGE2W, as well as products based on this device, are transmitting user's login and password to a remote control service without using any encryption. This enables an on-path attacker to eavesdrop the credentials and subsequently obtain access to the video stream. The credentials are being sent when a user decides to change his password in router's portal.Show less
CVE-2024-6388 1Canonical 1Ubuntu Advantage Desktop Daemon Aug 27, 2025 Jun 27, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon, before version 1.12, leaks the Pro token to unprivileged users by passing the token as an argument in plaintext.
CVE-2024-37183 1Westermo 1L210 F2g Firmware Jul 30, 2025 Jun 20, 2024 6.9 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 Plain text credentials and session ID can be captured with a network sniffer.
CVE-2024-0066 - - Nov 21, 2024 Jun 18, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply....Show more Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.Show less
CVE-2024-27166 - - Nov 21, 2024 Jun 14, 2024 N/A· v4 7.4 HIGH· v3 N/A· v2 Coredump binaries in Toshiba printers have incorrect permissions. A local attacker can steal confidential information. As for the affected products/models/versions, see the reference URL.
CVE-2024-27163 - - Nov 21, 2024 Jun 14, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Toshiba printers will display the password of the admin user in clear-text and additional passwords when sending 2 specific HTTP requests to the internal API. An attacker stealing the cookie of an admin or abusing a XSS...Show more Toshiba printers will display the password of the admin user in clear-text and additional passwords when sending 2 specific HTTP requests to the internal API. An attacker stealing the cookie of an admin or abusing a XSS vulnerability can recover this password in clear-text and compromise the printer. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the "Base Score" of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https://www.toshibatec.com/contacts/products/ As for the affected products/models/versions, see the reference URL.Show less
CVE-2024-35210 1Siemens 1Sinec Traffic Analyzer Feb 11, 2025 Jun 11, 2024 5.1 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server is not enforcing HSTS. This could allow an attacker to perform downgrade attacks exposing...Show more A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server is not enforcing HSTS. This could allow an attacker to perform downgrade attacks exposing confidential information.Show less
CVE-2024-37393 1Securenvoy 1Multi Factor Authentication Solutions Nov 21, 2024 Jun 10, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through bl...Show more Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.Show less
CVE-2024-37163 1Opensourcelabs 1Skyscraper Nov 21, 2024 Jun 7, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 SkyScrape is a GUI Dashboard for AWS Infrastructure and Managing Resources and Usage Costs. SkyScrape's API requests are currently unsecured HTTP requests, leading to potential vulnerabilities for the user's temporary c...Show more SkyScrape is a GUI Dashboard for AWS Infrastructure and Managing Resources and Usage Costs. SkyScrape's API requests are currently unsecured HTTP requests, leading to potential vulnerabilities for the user's temporary credentials and data. This affects version 1.0.0.Show less
CVE-2024-36426 - - Mar 18, 2025 May 27, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session.
CVE-2024-35060 1Nasa 1Ait Core Jun 3, 2025 May 21, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file.
CVE-2024-35059 1Nasa 1Ait Core Jun 3, 2025 May 21, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.
CVE-2024-35058 1Nasa 1Ait Core Jun 3, 2025 May 21, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.
CVE-2024-35057 1Nasa 1Ait Core Jun 3, 2025 May 21, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.
CVE-2024-31840 1Italtel 1Embrace Mar 14, 2025 May 21, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access...Show more An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password.Show less
CVE-2024-30209 - - Nov 21, 2024 May 14, 2024 9.0 CRITICAL· v4 9.6 CRITICAL· v3 N/A· v2 A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2...Show more A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected systems transmit client-side resources without proper cryptographic protection. This could allow an attacker to eavesdrop on and modify resources in transit. A successful exploit requires an attacker to be in the network path between the RTLS Locating Manager server and a client (MitM).Show less
CVE-2024-28134 1Phoenixcontact 4Charx Sec 3000 Firmware Charx Sec 3050 FirmwareCharx Sec 3100 Firmware+1 more Jan 23, 2025 May 14, 2024 N/A· v4 7.0 HIGH· v3 N/A· v2 An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based management access with the privileges of the currently l...Show more An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based management access with the privileges of the currently logged in user due to cleartext transmission of sensitive information. No additional user interaction is required. The access is limited as only non-sensitive information can be obtained but the availability can be seriously affected. Show less
CVE-2024-0098 1Nvidia 1Chatrtx Sep 17, 2025 May 14, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 NVIDIA ChatRTX for Windows contains a vulnerability in the ChatRTX UI and backend, where a user can cause a clear-text transmission of sensitive information issue by data sniffing. A successful exploit of this vulnerabil...Show more NVIDIA ChatRTX for Windows contains a vulnerability in the ChatRTX UI and backend, where a user can cause a clear-text transmission of sensitive information issue by data sniffing. A successful exploit of this vulnerability might lead to information disclosure.Show less
CVE-2022-32510 - - Nov 21, 2024 May 14, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 An issue was discovered on certain Nuki Home Solutions devices. The HTTP API exposed by a Bridge used an unencrypted channel to provide an administrative interface. A token can be easily eavesdropped by a malicious actor...Show more An issue was discovered on certain Nuki Home Solutions devices. The HTTP API exposed by a Bridge used an unencrypted channel to provide an administrative interface. A token can be easily eavesdropped by a malicious actor to impersonate a legitimate user and gain access to the full set of API endpoints. This affects Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2.Show less
CVE-2024-1657 - - Feb 25, 2026 Apr 25, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block coul...Show more A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system.Show less

Previous 1...121314...45 Next