Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVEs (881)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-1749 2Linux Redhat 3Enterprise Linux Enterprise MrgLinux Kernel Nov 21, 2024 Sep 9, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly r...Show more A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.Show less
CVE-2020-3702 3Arista DebianQualcomm 13Access Point Apq8053 FirmwareDebian Linux+10 more Nov 21, 2024 Sep 8, 2020 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete s...Show more u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150Show less
CVE-2020-2251 1Jenkins 2Jenkins Soapui Pro Functional Testing Nov 21, 2024 Sep 1, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.
CVE-2019-4689 1Ibm 2Guardium Data Encryption Guardium For Cloud Key Management Nov 21, 2024 Aug 26, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 IBM Security Guardium Data Encryption (GDE) 3.0.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this v...Show more IBM Security Guardium Data Encryption (GDE) 3.0.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 171826.Show less
CVE-2020-15482 1Niscomed 1M1000 Multipara Patient Monitor Firmware Nov 21, 2024 Aug 26, 2020 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 An issue was discovered on Nescomed Multipara Monitor M1000 devices. The device enables an unencrypted TELNET service by default, with a blank password for the admin account. This allows an attacker to gain root access t...Show more An issue was discovered on Nescomed Multipara Monitor M1000 devices. The device enables an unencrypted TELNET service by default, with a blank password for the admin account. This allows an attacker to gain root access to the device over the local network.Show less
CVE-2020-10124 1Ncr 1Aptra Xfs Nov 4, 2025 Aug 21, 2020 N/A· v4 7.1 HIGH· v3 4.4 MEDIUM· v2 NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal com...Show more NCR SelfServ ATMs running APTRA XFS 05.01.00 do not encrypt, authenticate, or verify the integrity of messages between the BNA and the host computer, which could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery.Show less
CVE-2020-2232 1Jenkins 1Email Extension Nov 21, 2024 Aug 12, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure.
CVE-2020-9526 1Cs2 Network 1P2p Nov 21, 2024 Aug 10, 2020 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdro...Show more CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devices.Show less
CVE-2020-15062 1Digitus 1Da 70254 Firmware Nov 21, 2024 Aug 7, 2020 N/A· v4 8.8 HIGH· v3 3.3 LOW· v2 DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15058 1Lindy International 142633 Firmware Nov 21, 2024 Aug 7, 2020 N/A· v4 8.8 HIGH· v3 3.3 LOW· v2 Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15054 1Tp Link 1Tl Ps310u Firmware Nov 21, 2024 Aug 7, 2020 N/A· v4 8.8 HIGH· v3 3.3 LOW· v2 TP-Link USB Network Server TL-PS310U devices before 2.079.000.t0210 allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15954 2Debian Kde 2Debian Linux Kmail Nov 21, 2024 Jul 27, 2020 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communication during times when the UI indicates that encryption is in use.
CVE-2020-12638 1Espressif 3Esp Idf Esp8266 Nonos SdkEsp8266 Rtos Sdk Nov 21, 2024 Jul 23, 2020 N/A· v4 6.8 MEDIUM· v3 4.3 MEDIUM· v2 An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to...Show more An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption.Show less
CVE-2020-4397 1Ibm 1Verify Gateway Nov 21, 2024 Jul 22, 2020 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 transmits sensitive information in plain text which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 179428.
CVE-2020-3442 1Duo 1Duoconnect Nov 21, 2024 Jul 20, 2020 N/A· v4 5.7 MEDIUM· v3 2.9 LOW· v2 The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s brows...Show more The DuoConnect client enables users to establish SSH connections to hosts protected by a DNG instance. When a user initiates an SSH connection to a DNG-protected host for the first time using DuoConnect, the user’s browser is opened to a login screen in order to complete authentication determined by the contents of the '-relay' argument. If the ‘-relay’ is set to a URL beginning with "http://", then the browser will initially attempt to load the URL over an insecure HTTP connection, before being immediately redirected to HTTPS (in addition to standard redirect mechanisms, the DNG uses HTTP Strict Transport Security headers to enforce this). After successfully authenticating to a DNG, DuoConnect stores an authentication token in a local system cache, so users do not have to complete this browser-based authentication workflow for every subsequent SSH connection. These tokens are valid for a configurable period of time, which defaults to 8 hours. If a user running DuoConnect already has a valid token, then instead of opening a web browser, DuoConnect directly contacts the DNG, again using the configured '-relay' value, and sends this token, as well as the intended SSH server hostname and port numbers. If the '-relay' argument begins with "http://", then this request will be sent over an insecure connection, and could be exposed to an attacker who is sniffing the traffic on the same network. The DNG authentication tokens that may be exposed during SSH relay may be used to gain network-level access to the servers and ports protected by that given relay host. The DNG provides network-level access only to the protected SSH servers. It does not interact with the independent SSH authentication and encryption. An attacker cannot use a stolen token on its own to authenticate against a DNG-protected SSH server.Show less
CVE-2020-7592 1Siemens 6Simatic Hmi Basic Panels 1st Generation Simatic Hmi Basic Panels 2nd GenerationSimatic Hmi Comfort Panels Firmware+3 more Nov 21, 2024 Jul 14, 2020 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort P...Show more A vulnerability has been identified in SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI KTP700F Mobile Arctic (All versions), SIMATIC HMI Mobile Panels 2nd Generation (All versions), SIMATIC WinCC Runtime Advanced (All versions). Unencrypted communication between the configuration software and the respective device could allow an attacker to capture potential plain text communication and have access to sensitive information.Show less
CVE-2020-14171 1Atlassian 1Bitbucket Nov 21, 2024 Jul 9, 2020 N/A· v4 6.5 MEDIUM· v3 5.8 MEDIUM· v2 Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.
CVE-2020-12398 2Canonical Mozilla 2Thunderbird Ubuntu Linux Nov 21, 2024 Jul 9, 2020 N/A· v4 7.5 HIGH· v3 4.3 MEDIUM· v2 If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. T...Show more If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection. This vulnerability affects Thunderbird < 68.9.0.Show less
CVE-2020-15509 1Nordicsemi 2Android Ble Library Dfu Library Nov 21, 2024 Jul 7, 2020 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the co...Show more Nordic Semiconductor Android BLE Library through 2.2.1 and DFU Library through 1.10.4 for Android (as used by nRF Connect and other applications) can engage in unencrypted communication while showing the user that the communication is purportedly encrypted. The problem is in bond creation (e.g., internalCreateBond in BleManagerHandler).Show less
CVE-2020-10281 1Dronecode 1Micro Air Vehicle Link Nov 21, 2024 Jul 3, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-bas...Show more This vulnerability applies to the Micro Air Vehicle Link (MAVLink) protocol and allows a remote attacker to gain access to sensitive information provided it has access to the communication medium. MAVLink is a header-based protocol that does not perform encryption to improve transfer (and reception speed) and efficiency by design. The increasing popularity of the protocol (used accross different autopilots) has led to its use in wired and wireless mediums through insecure communication channels exposing sensitive information to a remote attacker with ability to intercept network traffic.Show less

Previous 1...303132...45 Next