Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-27184 1Moxa 3Nport Ia5150a Firmware Nport Ia5250a FirmwareNport Ia5450a Firmware Nov 21, 2024 May 14, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
CVE-2021-31898 1Jetbrains 1Webstorm Nov 21, 2024 May 11, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
CVE-2021-3003 1Agenziaentrate 1Desktop Telematico Nov 21, 2024 May 10, 2021 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the jws.agenziaentrate.it server over cleartext HTTP, which allows man-in-the-middle attackers to spoof product updates.
CVE-2021-27574 1Remotemouse 1Emote Remote Mouse Nov 21, 2024 May 7, 2021 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real...Show more An issue was discovered in Emote Remote Mouse through 4.0.0.0. It uses cleartext HTTP to check, and request, updates. Thus, attackers can machine-in-the-middle a victim to download a malicious binary in place of the real update, with no SSL errors or warnings.Show less
CVE-2021-27569 1Remotemouse 1Emote Remote Mouse Nov 21, 2024 May 7, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and...Show more An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and is not protected by any authentication logic.Show less
CVE-2021-31815 1Google 1Google/apple Exposure Notifications Nov 21, 2024 Apr 28, 2021 N/A· v4 3.3 LOW· v3 2.1 LOW· v2 GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection...Show more GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometimes) COVID-19 infection status, because Rolling Proximity Identifiers and MAC addresses are written to the Android system log, and many Android devices have applications (preinstalled by the hardware manufacturer or network operator) that read system log data and send it to third parties. NOTE: a news outlet (The Markup) states that they received a vendor response indicating that fix deployment "began several weeks ago and will be complete in the coming days."Show less
CVE-2021-31671 1Pgsync Project 1Pgsync Nov 21, 2024 Apr 27, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first and --schema-only options is mishandled. For example, the sslmode connection parameter may be...Show more pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first and --schema-only options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.Show less
CVE-2021-3494 1Theforeman 1Foreman Nov 21, 2024 Apr 26, 2021 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certifi...Show more A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0.Show less
CVE-2020-26197 1Dell 1Emc Powerscale Onefs Nov 21, 2024 Apr 20, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect...Show more Dell PowerScale OneFS 8.1.0 - 9.1.0 contains an LDAP Provider inability to connect over TLSv1.2 vulnerability. It may make it easier to eavesdrop and decrypt such traffic for a malicious actor. Note: This does not affect clusters which are not relying on an LDAP server for the authentication provider.Show less
CVE-2021-20992 1Fibaro 2Home Center 2 Firmware Home Center Lite Firmware Nov 21, 2024 Apr 19, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, toke...Show more In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.Show less
CVE-2021-23884 1Mcafee 1Content Security Reporter Nov 21, 2024 Apr 15, 2021 N/A· v4 4.3 MEDIUM· v3 2.7 LOW· v2 Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web G...Show more Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read only user used to retrieve log files for analysis in CSR.Show less
CVE-2020-7308 1Mcafee 1Endpoint Security Nov 21, 2024 Apr 15, 2021 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attack...Show more Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining control of an intermediate DNS server or altering the network DNS configuration, it is possible for an attacker to intercept requests and send their own responses.Show less
CVE-2021-27251 1Netgear 43Br200 Firmware Br500 FirmwareD7800 Firmware+40 more Nov 21, 2024 Apr 14, 2021 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800. Authentication is not required to exploit this vulnerability The specific flaw exists w...Show more This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Nighthawk R7800. Authentication is not required to exploit this vulnerability The specific flaw exists within handling of firmware updates. The issue results from a fallback to a insecure protocol to deliver updates. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-12308.Show less
CVE-2021-3473 1Lenovo 1Xclarity Controller Nov 21, 2024 Apr 13, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is...Show more An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.Show less
CVE-2021-27194 1Netop 1Vision Pro Nov 21, 2024 Mar 25, 2021 N/A· v4 8.8 HIGH· v3 3.3 LOW· v2 Cleartext transmission of sensitive information in Netop Vision Pro up to and including 9.7.1 allows a remote unauthenticated attacker to gather credentials including Windows login usernames and passwords.
CVE-2021-21387 1Wrongthink 1Wrongthink Nov 21, 2024 Mar 19, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part o...Show more Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0.Show less
CVE-2019-18231 1Advantech 1Spectre Rt Ert351 Firmware Nov 21, 2024 Mar 17, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwords are transmitted in clear text form, which may allow an attacker to intercept the request.
CVE-2020-35456 1Taidii 1Diibear Nov 21, 2024 Mar 17, 2021 N/A· v4 5.5 MEDIUM· v3 4.3 MEDIUM· v2 The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to view private chat messages and media files via logcat because of excessive logging.
CVE-2021-3417 1Lenovo 1Xclarity Orchestrator Nov 21, 2024 Mar 9, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log f...Show more An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.Show less
CVE-2020-8356 1Lenovo 1Xclarity Orchestrator Nov 21, 2024 Mar 9, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected lo...Show more An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.Show less

Previous 1...272829...45 Next