Filtered by CWE-311
Filtered by vendor Subscriptions
Total 491 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-41757 1 Ibm 1 Concert 2025-07-18 5.9 Medium
IBM Concert Software 1.0.0 and 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVE-2025-1688 1 Milestone Systems 1 Xprotect Vms 2025-07-13 5.5 Medium
Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.
CVE-2025-53676 2025-07-10 6.5 Medium
Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
CVE-2025-53678 2025-07-10 6.5 Medium
Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
CVE-2025-53673 2025-07-10 6.5 Medium
Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
CVE-2024-1936 3 Debian, Mozilla, Redhat 7 Debian Linux, Thunderbird, Enterprise Linux and 4 more 2025-06-30 7.5 High
The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments. This vulnerability affects Thunderbird < 115.8.1.
CVE-2018-8849 1 Medtronic 4 N\'vision 8840, N\'vision 8840 Firmware, N\'vision 8870 and 1 more 2025-06-27 4.6 Medium
Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.
CVE-2012-1977 1 Wellintech 1 Kingview 2025-06-27 N/A
WellinTech KingSCADA 3.0 uses a cleartext base64 format for storage of passwords in user.db, which allows context-dependent attackers to obtain sensitive information by reading this file.
CVE-2025-32875 2025-06-23 5.7 Medium
An issue was discovered in the COROS application through 3.8.12 for Android. Bluetooth pairing and bonding is neither initiated nor enforced by the application itself. Also, the watch does not enforce pairing and bonding. As a result, any data transmitted via BLE remains unencrypted, allowing attackers within Bluetooth range to eavesdrop on the communication. Furthermore, even if a user manually initiates pairing and bonding in the Android settings, the application continues to transmit data without requiring the watch to be bonded. This fallback behavior enables attackers to exploit the communication, for example, by conducting an active machine-in-the-middle attack.
CVE-2023-50129 1 Flient 2 Smart Lock Advanced, Smart Lock Advanced Firmware 2025-06-20 6.5 Medium
Missing encryption in the NFC tags of the Flient Smart Door Lock v1.0 allows attackers to create a cloned tag via brief physical proximity to the original tags, which results in an attacker gaining access to the perimeter.
CVE-2024-24768 1 Fit2cloud 1 1panel 2025-06-18 6.5 Medium
1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version 1.9.6.
CVE-2023-33037 1 Qualcomm 166 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 163 more 2025-06-17 7.1 High
Cryptographic issue in Automotive while unwrapping the key secs2d and verifying with RPMB data.
CVE-2023-50126 1 Hozard 1 Alarm System 2025-06-03 6.5 Medium
Missing encryption in the RFID tags of the Hozard alarm system (Alarmsysteem) v1.0 allow attackers to create a cloned tag via brief physical proximity to one of the original tags, which results in an attacker being able to bring the alarm system to a disarmed state.
CVE-2023-6339 1 Google 2 Nest Wifi Pro, Nest Wifi Pro Firmware 2025-06-03 10 Critical
Google Nest WiFi Pro root code-execution & user-data compromise
CVE-2024-35061 1 Nasa 1 Ait Core 2025-06-03 7.3 High
NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution.
CVE-2022-3251 1 Ikus-soft 1 Minarca 2025-05-28 5.3 Medium
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2.
CVE-2022-3250 1 Ikus-soft 1 Rdiffweb 2025-05-28 5.3 Medium
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.
CVE-2018-18984 1 Medtronic 6 29901 Encore Programmer, 29901 Encore Programmer Firmware, Carelink 2090 Programmer and 3 more 2025-05-22 4.6 Medium
Medtronic CareLink and Encore Programmers do not encrypt or do not sufficiently encrypt sensitive PII and PHI information while at rest .
CVE-2025-24008 2025-05-13 6.5 Medium
A vulnerability has been identified in SIRIUS 3RK3 Modular Safety System (MSS) (All versions), SIRIUS Safety Relays 3SK2 (All versions). The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop the connection and retrieve sensitive information, including obfuscated safety passwords.
CVE-2025-47274 2025-05-13 N/A
ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are used to restart stopped containers. This means that an attacker who has access to the home folder of the user who starts the MCP server can read secrets without needing access to the secrets store itself. This only applies to secrets which were used in containers whose run configs exist at a point in time - other secrets remaining inaccessible. ToolHive 0.0.33 fixes the issue. Some workarounds are available. Stop and delete any running MCP servers, or manually remove any runconfigs from `$HOME/Library/Application Support/toolhive/runconfigs/` (macOS) or `$HOME/.state/toolhive/runconfigs/` (Linux).