Search Results (4594 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-1232 1 Ibm 1 Bigfix Platform 2025-04-20 N/A
IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. IBM X-Force ID: 123911.
CVE-2017-1309 1 Ibm 1 Infosphere Master Data Management Server 2025-04-20 N/A
IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 125463.
CVE-2017-14009 1 Prominent 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware 2025-04-20 N/A
An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password.
CVE-2016-10139 1 Adups 1 Adups Fota 2025-04-20 N/A
An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The two package names involved in the exfiltration are com.adups.fota and com.adups.fota.sysoper. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. Therefore, the app executing as the system user has been granted a number of powerful permissions even though they are not present in the com.adups.fota.sysoper app's AndroidManifest.xml file. This app provides the com.adups.fota app access to the user's call log, text messages, and various device identifiers through the com.adups.fota.sysoper.provider.InfoProvider component. The com.adups.fota app uses timestamps when it runs and is eligible to exfiltrate the user's PII every 72 hours. If 72 hours have passed since the value of the timestamp, then the exfiltration will be triggered by the user plugging in the device to charge or when they leave or enter a wireless network. The exfiltration occurs in the background without any user interaction.
CVE-2014-2903 1 Wolfssl 1 Wolfssl 2025-04-20 N/A
CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake.
CVE-2017-15581 1 Writediary 1 Diary With Lock 2025-04-20 N/A
In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of ... secrets and feelings," which allows remote attackers to obtain sensitive information by sniffing the network during LoginActivity or NoteActivity execution.
CVE-2017-15609 1 Octopus 1 Octopus Deploy 2025-04-20 N/A
Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.
CVE-2016-4457 1 Redhat 2 Cloudforms Management Engine, Cloudforms Managementengine 2025-04-20 N/A
CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate.
CVE-2017-15999 1 Nq 1 Contacts Backup \& Restore 2025-04-20 N/A
In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required.
CVE-2017-2723 1 Huawei 1 Files 2025-04-20 N/A
The Files APP 7.1.1.308 and earlier versions in some Huawei mobile phones has a vulnerability of plaintext storage of users' Safe passwords. An attacker with the root privilege of an Android system could forge the Safe to read users' plaintext Safe passwords, leading to information leak.
CVE-2014-8686 1 Codeigniter 1 Codeigniter 2025-04-20 N/A
CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.
CVE-2014-8684 2 Codeigniter, Kohanaframework 2 Codeigniter, Kohana 2025-04-20 N/A
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
CVE-2017-5259 1 Cambiumnetworks 10 Cnpilot E400, Cnpilot E400 Firmware, Cnpilot E410 and 7 more 2025-04-20 N/A
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://<device-ip-or-hostname>/adm/syscmd.asp.
CVE-2017-3305 3 Debian, Oracle, Redhat 3 Debian Linux, Mysql, Rhel Software Collections 2025-04-20 N/A
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API). Supported versions that are affected are 5.5.55 and earlier and 5.6.35 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue allows man-in-the-middle attackers to hijack the authentication of users by leveraging incorrect ordering of security parameter verification in a client, aka, "The Riddle".
CVE-2023-34829 1 Tp-link 1 Tapo 2025-04-17 6.5 Medium
Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.
CVE-2023-31300 1 Sesami 1 Cash Point \& Transport Optimizer 2025-04-17 7.5 High
An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via transmission of unencrypted, cleartext credentials during Password Reset feature.
CVE-2020-4497 1 Ibm 1 Spectrum Protect Plus 2025-04-17 6.8 Medium
IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques. IBM X-Force ID: 182106.
CVE-2020-14480 1 Rockwellautomation 1 Factorytalk View 2025-04-17 5.5 Medium
Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials.
CVE-2024-40582 1 Pentaminds 1 Curovms 2025-04-17 7.5 High
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed sensitive information.
CVE-2022-42454 1 Hcltechsw 1 Bigfix Insights For Vulnerability Remediation 2025-04-16 6.4 Medium
Insights for Vulnerability Remediation (IVR) is vulnerable to man-in-the-middle attacks that may lead to information disclosure.  This requires privileged network access.