Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-4152 1Ibm 1Qradar Network Security Nov 21, 2024 Nov 8, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 IBM QRadar Network Security 5.4.0 and 5.5.0 transmits sensitive or security-critical data in cleartext in a communication channel that can be obtained using man in the middle techniques. IBM X-Force ID: 17467.
CVE-2021-3774 1Meross 1Mss550x Firmware Nov 21, 2024 Nov 5, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtai...Show more Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app via Http/JSON plain request.Show less
CVE-2021-29753 1Ibm 2Business Automation Workflow Business Process Manager Nov 21, 2024 Nov 5, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized intercepti...Show more IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Show less
CVE-2021-42699 1Azeotech 1Daqfactory Nov 21, 2024 Nov 5, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The affected product is vulnerable to cookie information being transmitted as cleartext over HTTP. An attacker can capture network traffic, obtain the user’s cookie and take over the account.
CVE-2021-38418 1Deltaww 1Dialink Nov 21, 2024 Nov 3, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Delta Electronics DIALink versions 1.2.4.0 and prior runs by default on HTTP, which may allow an attacker to be positioned between the traffic and perform a machine-in-the-middle attack to access information without auth...Show more Delta Electronics DIALink versions 1.2.4.0 and prior runs by default on HTTP, which may allow an attacker to be positioned between the traffic and perform a machine-in-the-middle attack to access information without authorization.Show less
CVE-2021-43270 1Datalust 1Seq.app.emailplus Nov 21, 2024 Nov 2, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.
CVE-2021-39341 1Optinmonster 1Optinmonster Nov 21, 2024 Nov 1, 2021 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/R...Show more The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.Show less
CVE-2021-0296 1Juniper 1Ctpview Nov 21, 2024 Oct 19, 2021 N/A· v4 7.4 HIGH· v3 5.8 MEDIUM· v2 The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served...Show more The Juniper Networks CTPView server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header which allows servers to indicate that content from the requested domain will only be served over HTTPS. The lack of HSTS may leave the system vulnerable to downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. This issue affects Juniper Networks CTPView: 7.3 versions prior to 7.3R7; 9.1 versions prior to 9.1R3.Show less
CVE-2021-20599 1Mitsubishielectric 8R08psfcpu Firmware R08sfcpu FirmwareR120psfcpu Firmware+5 more Nov 21, 2024 Oct 14, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL...Show more Cleartext Transmission of Sensitive InformationCleartext transmission of sensitive information vulnerability in MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU firmware versions "26" and prior and MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to login to a target CPU module by obtaining credentials other than password.Show less
CVE-2021-39882 1Gitlab 1Gitlab Nov 21, 2024 Oct 5, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.
CVE-2020-20128 1Laracms Project 1Laracms Nov 21, 2024 Sep 29, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 LaraCMS v1.0.1 transmits sensitive information in cleartext which can be intercepted by attackers.
CVE-2021-39342 1Credova 1Financial Nov 21, 2024 Sep 29, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financin...Show more The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.Show less
CVE-2021-22946 8Apple DebianFedoraproject+5 more 29Cloud Backup Clustered Data OntapCommerce Guided Search+26 more Apr 16, 2026 Sep 29, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLU...Show more A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.Show less
CVE-2021-36165 1Riconmobile 1S9922l Firmware Nov 21, 2024 Sep 28, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64.
CVE-2021-40847 1Netgear 11R6400v2 Firmware R6700 FirmwareR6700v3 Firmware+8 more Nov 21, 2024 Sep 21, 2021 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enab...Show more The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.Show less
CVE-2021-38142 1Barco 1Mirrorop Windows Sender Nov 21, 2024 Sep 7, 2021 N/A· v4 8.8 HIGH· v3 7.2 HIGH· v2 Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows S...Show more Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS).Show less
CVE-2021-39272 2Fedoraproject Fetchmail 2Fedora Fetchmail Nov 21, 2024 Aug 30, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
CVE-2021-33883 1Bbraun 1Spacecom2 Nov 21, 2024 Aug 25, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data incl...Show more A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration.Show less
CVE-2021-38373 1Kde 1Kmail Nov 21, 2024 Aug 10, 2021 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
CVE-2021-22923 6Fedoraproject HaxxNetapp+3 more 16Cloud Backup Clustered Data OntapCurl+13 more Nov 21, 2024 Aug 5, 2021 N/A· v4 5.3 MEDIUM· v3 2.6 LOW· v2 When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers fr...Show more When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.Show less

Previous 1...252627...45 Next