Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-4497 1Ibm 1Spectrum Protect Plus Nov 21, 2024 Dec 14, 2022 N/A· v4 5.9 MEDIUM· v3 N/A· v2 IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain...Show more IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques. IBM X-Force ID: 182106. Show less
CVE-2020-9420 1Arcadyan 1Vrv9506jac23 Firmware Apr 22, 2025 Dec 14, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router...Show more The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.Show less
CVE-2022-43724 1Siemens 1Sicam Pas/pqs Apr 22, 2025 Dec 13, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmds...Show more A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmdshell feature unauthenticated remote attackers could execute custom OS commands. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.Show less
CVE-2022-46685 1Gitea 1Gitea Apr 23, 2025 Dec 12, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.
CVE-2022-40939 1Secu 1Secustation Firmware Apr 22, 2025 Dec 8, 2022 N/A· v4 4.9 MEDIUM· v3 N/A· v2 In certain Secustation products the administrator account password can be read. This affects V2.5.5.3116-S50-SMA-B20171107A, V2.3.4.1301-M20-TSA-B20150617A, V2.5.5.3116-S50-RXA-B20180502A, V2.5.5.3116-S50-SMA-B20190723A,...Show more In certain Secustation products the administrator account password can be read. This affects V2.5.5.3116-S50-SMA-B20171107A, V2.3.4.1301-M20-TSA-B20150617A, V2.5.5.3116-S50-RXA-B20180502A, V2.5.5.3116-S50-SMA-B20190723A, V2.5.5.3116-S50-SMB-B20161012A, V2.3.4.2103-S50-NTD-B20170508B, V2.5.5.3116-S50-SMB-B20160601A, V2.5.5.2601-S50-TSA-B20151229A, and V2.5.5.3116-S50-SMA-B20170217.Show less
CVE-2022-45877 1Openharmony 1Openharmony Nov 21, 2024 Dec 8, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 OpenHarmony-v3.1.4 and prior versions had an vulnerability. PIN code is transmitted to the peer device in plain text during cross-device authentication, which reduces the difficulty of man-in-the-middle attacks.
CVE-2022-45478 1Telepad App 1Telepad Apr 23, 2025 Dec 5, 2022 N/A· v4 5.9 MEDIUM· v3 N/A· v2 Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-45483 1Lazy Mouse Project 1Lazy Mouse Apr 24, 2025 Dec 2, 2022 N/A· v4 5.9 MEDIUM· v3 N/A· v2 Lazy Mouse allows an attacker (in a man in the middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-45480 1Beappsmobile 1Pc Keyboard Wifi & Bluetooth Apr 24, 2025 Dec 2, 2022 N/A· v4 5.9 MEDIUM· v3 N/A· v2 PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:...Show more PC Keyboard WiFi & Bluetooth allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NShow less
CVE-2022-39339 1Nextcloud 1Openid Connect User Backend Nov 21, 2024 Nov 25, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor w...Show more user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).Show less
CVE-2022-44411 1Web Based Quiz System Project 1Web Based Quiz System Apr 29, 2025 Nov 25, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack.
CVE-2021-35246 1Solarwinds 1Engineer's Toolset Nov 21, 2024 Nov 23, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use t...Show more The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.Show less
CVE-2022-43691 1Concretecms 1Concrete Cms Apr 30, 2025 Nov 14, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in...Show more Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.Show less
CVE-2021-38828 1Xiongmaitech 1Xm Jpr2 Lx Firmware Apr 30, 2025 Nov 14, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000 is vulnerable to plain-text traffic sniffing.
CVE-2022-38122 1Upspowercom 1Upsmon Pro Nov 21, 2024 Nov 10, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. An unauthenticated remote attacker can exploit this vulnerability to access sensitive data.
CVE-2022-33321 1Mitsubishielectric 178Ma Ew85s E Firmware Ma Ew85s Uk FirmwareMac 507if E Firmware+175 more May 1, 2025 Nov 8, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer electronics products (PHOTOVOLTAIC COLOR MONITOR ECO-GUIDE, HEMS a...Show more Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer electronics products (PHOTOVOLTAIC COLOR MONITOR ECO-GUIDE, HEMS adapter, Wi-Fi Interface, Air Conditioning, Induction hob, Mitsubishi Electric HEMS Energy Measurement Unit, Refrigerator, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch, Ventilating Fan, Range hood fan, Energy Measurement Unit and Air Purifier) allows a remote unauthenticated attacker to disclose information in the products or cause a denial of service (DoS) condition as a result by sniffing credential information (username and password). The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section. Show less
CVE-2021-39077 1Ibm 1Security Guardium Jul 23, 2025 Nov 3, 2022 N/A· v4 4.4 MEDIUM· v3 N/A· v2 IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587.
CVE-2021-45447 1Hitachi 1Vantara Pentaho Nov 21, 2024 Nov 2, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. The transmission of sensitive data in...Show more Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. The transmission of sensitive data in clear text allows unauthorized actors with access to the network to sniff and obtain sensitive information that can be later used to gain unauthorized access. Show less
CVE-2022-42916 4Apple FedoraprojectHaxx+1 more 4Curl FedoraMacos+1 more Feb 13, 2026 Oct 29, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even whe...Show more In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.Show less
CVE-2022-41636 1Haascnc 1Haas Controller Nov 21, 2024 Oct 28, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Communication traffic involving "Ethernet Q Commands" service of Haas Controller version 100.20.000.1110 is transmitted in cleartext. This allows an attacker to obtain sensitive information being passed to and from the c...Show more Communication traffic involving "Ethernet Q Commands" service of Haas Controller version 100.20.000.1110 is transmitted in cleartext. This allows an attacker to obtain sensitive information being passed to and from the controller.Show less

Previous 1...202122...45 Next