Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-41627 1Alivecor 3Kardiamobile 6l Firmware Kardiamobile Card FirmwareKardiamobile Firmware Nov 21, 2024 Oct 27, 2022 N/A· v4 7.6 HIGH· v3 N/A· v2 The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to r...Show more The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves. Show less
CVE-2022-41983 1F5 19Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Advanced Web Application Firewall+16 more Nov 21, 2024 Oct 19, 2022 N/A· v4 3.7 LOW· v3 N/A· v2 On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is...Show more On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied.Show less
CVE-2022-3206 1Passster Project 1Passster May 14, 2025 Oct 17, 2022 N/A· v4 5.9 MEDIUM· v3 N/A· v2 The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.
CVE-2022-39287 1Tiny Csrf Project 1Tiny Csrf Nov 21, 2024 Oct 7, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in c...Show more tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.Show less
CVE-2022-39269 2Pjsip Teluu 2Pjsip Pjsip May 6, 2026 Oct 6, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing t...Show more PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2022-32227 1Rocketchat 1Rocket.chat May 22, 2025 Sep 23, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the...Show more A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product.Show less
CVE-2021-42948 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 16, 2022 N/A· v4 3.7 LOW· v3 N/A· v2 HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.
CVE-2022-38846 1Espocrm 1Espocrm Nov 21, 2024 Sep 16, 2022 N/A· v4 5.9 MEDIUM· v3 N/A· v2 EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
CVE-2022-30312 1Honeywell 5Trend Iq411 Firmware Trend Iq412 FirmwareTrend Iq422 Firmware+2 more Jun 17, 2025 Sep 7, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of cr...Show more The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement.Show less
CVE-2022-2083 1Simple Sign On Project 1Simple Sign On Nov 21, 2024 Sep 5, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.
CVE-2022-2485 1Automationdirect 10Sio Mb04ads Firmware Sio Mb04das FirmwareSio Mb04rtds Firmware+7 more Nov 21, 2024 Aug 31, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its password in the communication packets.
CVE-2022-2005 1Automationdirect 12C More Ea9 Pgmsw Firmware C More Ea9 Rhmi FirmwareC More Ea9 T10cl Firmware+9 more Nov 21, 2024 Aug 31, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 AutomationDirect C-more EA9 HTTP webserver uses an insecure mechanism to transport credentials from client to web server, which may allow an attacker to obtain the login credentials and login as a valid user. This issue...Show more AutomationDirect C-more EA9 HTTP webserver uses an insecure mechanism to transport credentials from client to web server, which may allow an attacker to obtain the login credentials and login as a valid user. This issue affects: AutomationDirect C-more EA9 EA9-T6CL versions prior to 6.73; EA9-T6CL-R versions prior to 6.73; EA9-T7CL versions prior to 6.73; EA9-T7CL-R versions prior to 6.73; EA9-T8CL versions prior to 6.73; EA9-T10CL versions prior to 6.73; EA9-T10WCL versions prior to 6.73; EA9-T12CL versions prior to 6.73; EA9-T15CL versions prior to 6.73; EA9-RHMI versions prior to 6.73; EA9-PGMSW versions prior to 6.73;Show less
CVE-2022-2003 1Automationdirect 9D0 06aa Firmware D0 06ar FirmwareD0 06da Firmware+6 more Nov 21, 2024 Aug 31, 2022 N/A· v4 9.1 CRITICAL· v3 N/A· v2 AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and...Show more AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;Show less
CVE-2022-36200 1Fiberhome 1Hg150 Ub Firmware Nov 21, 2024 Aug 29, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 In FiberHome VDSL2 Modem HG150-Ub_V3.0, Credentials of Admin are submitted in URL, which can be logged/sniffed.
CVE-2022-32857 1Apple 6Ipados Iphone OsMac Os X+3 more May 29, 2025 Aug 24, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina, iOS 15.6 and iPadOS 15.6, tvOS 15.6,...Show more This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina, iOS 15.6 and iPadOS 15.6, tvOS 15.6, watchOS 8.7. A user in a privileged network position can track a user’s activity.Show less
CVE-2021-3590 2Redhat Theforeman 2Foreman Satellite Nov 21, 2024 Aug 22, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A flaw was found in Foreman project. A credential leak was identified which will expose Azure Compute Profile password through JSON of the API output. The highest threat from this vulnerability is to data confidentiality...Show more A flaw was found in Foreman project. A credential leak was identified which will expose Azure Compute Profile password through JSON of the API output. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.Show less
CVE-2022-2338 1Softing 6Edgeaggregator EdgeconnectorOpc+3 more Nov 21, 2024 Aug 17, 2022 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Softing Secure Integration Server V1.22 is vulnerable to authentication bypass via a machine-in-the-middle attack. The default the administration interface is accessible via plaintext HTTP protocol, facilitating the atta...Show more Softing Secure Integration Server V1.22 is vulnerable to authentication bypass via a machine-in-the-middle attack. The default the administration interface is accessible via plaintext HTTP protocol, facilitating the attack. The HTTP request may contain the session cookie in the request, which may be captured for use in authenticating to the server.Show less
CVE-2022-20243 1Google 1Android Nov 21, 2024 Aug 11, 2022 N/A· v4 4.4 MEDIUM· v3 N/A· v2 In Core Utilities, there is a possible log information disclosure. This could lead to local information disclosure of sensitive browsing data with System execution privileges needed. User interaction is not needed for ex...Show more In Core Utilities, there is a possible log information disclosure. This could lead to local information disclosure of sensitive browsing data with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-190199986Show less
CVE-2022-32245 1Sap 1Businessobjects Business Intelligence Nov 21, 2024 Aug 10, 2022 N/A· v4 8.2 HIGH· v3 N/A· v2 SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the at...Show more SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the application by an automated attack. Thus, completely compromising confidentiality but causing a limited impact on the availability of the application.Show less
CVE-2022-33724 1Google 1Android Nov 21, 2024 Aug 5, 2022 N/A· v4 3.3 LOW· v3 N/A· v2 Exposure of Sensitive Information in Samsung Dialer application?prior to SMR Aug-2022 Release 1 allows local attackers to access ICCID via log.

Previous 1...212223...45 Next