ReportizFlow
Filtered by vendor
Subscriptions
Total
459 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-5482 | 1 Netapp | 1 Snapcenter Server | 2024-11-21 | N/A |
| NetApp SnapCenter Server prior to 4.1 does not set the secure flag for a sensitive cookie in an HTTPS session which can allow the transmission of the cookie in plain text over an unencrypted channel. | ||||
| CVE-2018-5481 | 1 Netapp | 1 Oncommand Unified Manager | 2024-11-21 | N/A |
| OnCommand Unified Manager for 7-Mode (core package) prior to 5.2.4 uses cookies that lack the secure attribute in certain circumstances making it vulnerable to impersonation via man-in-the-middle (MITM) attacks. | ||||
| CVE-2018-5261 | 1 Flexense | 1 Diskboss | 2024-11-21 | N/A |
| An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session, the server and client disclose sensitive information, such as the authentication credentials, to any man-in-the-middle (MiTM) listener. | ||||
| CVE-2018-5185 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Thunderbird and 8 more | 2024-11-21 | N/A |
| Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. | ||||
| CVE-2018-5162 | 4 Canonical, Debian, Mozilla and 1 more | 11 Ubuntu Linux, Debian Linux, Thunderbird and 8 more | 2024-11-21 | N/A |
| Plaintext of decrypted emails can leak through the src attribute of remote images, or links. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. | ||||
| CVE-2018-4855 | 1 Siemens | 4 Siclock Tc100, Siclock Tc100 Firmware, Siclock Tc400 and 1 more | 2024-11-21 | N/A |
| A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). Unencrypted storage of passwords in the client configuration files and during network transmission could allow an attacker in a privileged position to obtain access passwords. | ||||
| CVE-2018-4847 | 1 Siemens | 1 Simatic Wincc Oa Operator | 2024-11-21 | N/A |
| A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinCC OA Operator iOS app could allow an attacker with physical access to the mobile device to read unencrypted data from the app's directory. Siemens provides mitigations to resolve the security issue. | ||||
| CVE-2018-3826 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | N/A |
| In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API. | ||||
| CVE-2018-25060 | 1 Go-macaron | 1 Csrf | 2024-11-21 | 3.7 Low |
| A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The patch is identified as dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a patch to fix this issue. VDB-217058 is the identifier assigned to this vulnerability. | ||||
| CVE-2018-20465 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | N/A |
| Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field. | ||||
| CVE-2018-20100 | 1 August | 2 August Connect, August Connect Firmware | 2024-11-21 | N/A |
| An issue was discovered on August Connect devices. Insecure data transfer between the August app and August Connect during configuration allows attackers to discover home Wi-Fi credentials. This data transfer uses an unencrypted access point for these credentials, and passes them in an HTTP POST, using the AugustWifiDevice class, with data encrypted with a fixed key found obfuscated in the app. | ||||
| CVE-2018-1938 | 1 Ibm | 1 Cloud Private | 2024-11-21 | N/A |
| IBM Cloud Private 3.1.1 could alllow a local user with administrator privileges to intercept highly sensitive unencrypted data. IBM X-Force ID: 153318. | ||||
| CVE-2018-1937 | 1 Ibm | 1 Cloud Private | 2024-11-21 | N/A |
| IBM Cloud Private 3.1.1 could alllow a local user with administrator privileges to intercept highly sensitive unencrypted data. IBM X-Force ID: 153317. | ||||
| CVE-2018-1683 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | N/A |
| IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the failure to encrypt ORB communication. IBM X-Force ID: 145455. | ||||
| CVE-2018-1340 | 1 Apache | 1 Guacamole | 2024-11-21 | N/A |
| Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain. | ||||
| CVE-2018-19944 | 1 Qnap | 1 Qts | 2024-11-21 | 7.5 High |
| A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later) | ||||
| CVE-2018-18984 | 1 Medtronic | 6 29901 Encore Programmer, 29901 Encore Programmer Firmware, Carelink 2090 Programmer and 3 more | 2024-11-21 | 4.6 Medium |
| Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI. | ||||
| CVE-2018-17915 | 1 Xiongmaitech | 1 Xmeye P2p Cloud Server | 2024-11-21 | N/A |
| All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code. | ||||
| CVE-2018-17563 | 1 Grandstream | 12 Gxp1610, Gxp1610 Firmware, Gxp1615 and 9 more | 2024-11-21 | N/A |
| A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext. | ||||
| CVE-2018-17287 | 1 Kofax | 1 Front Office Server | 2024-11-21 | N/A |
| In Kofax Front Office Server Administration Console 4.1.1.11.0.5212, some fields, such as passwords, are obfuscated in the front-end, but the cleartext value can be exfiltrated by using the back-end "download" feature, as demonstrated by an mfp.password downloadsettingvalue operation. | ||||