Filtered by CWE-319
Filtered by vendor Subscriptions
Total 685 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-0283 1 Cisco 1 Secure Firewall Management Center 2024-11-29 N/A
A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to restart an instance of the Snort detection engine on an affected device, resulting in a brief denial of service (DoS) condition. The vulnerability is due to the incorrect handling of Transport Layer Security (TLS) TCP connection setup for the affected software. An attacker could exploit this vulnerability by sending crafted TLS traffic to an affected device. A successful exploit could allow the attacker to cause the Snort detection engine on the affected device to restart, resulting in a DoS condition. Cisco Bug IDs: CSCvg99327.
CVE-2024-6972 2024-11-26 6.5 Medium
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
CVE-2024-25650 2024-11-21 5.9 Medium
Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key (used to encrypt RabbitMQ messages) via crafted payloads to the /pre-authenticate, /authenticate, and /execute-and-respond REST API endpoints. This makes it possible for a PAM administrator to impersonate the Engine and exfiltrate sensitive information from the messages published in the RabbitMQ exchanges, without being audited in the application.
CVE-2024-5631 2024-11-21 N/A
Longse NVR (Network Video Recorder) model NVR3608PGE2W, as well as products based on this device, are transmitting user's login and password to a remote control service without using any encryption. This enables an on-path attacker to eavesdrop the credentials and subsequently obtain access to the video stream.  The credentials are being sent when a user decides to change his password in router's portal.
CVE-2024-4161 2024-11-21 8.6 High
In Brocade SANnav, before Brocade SANnav v2.3.0, syslog traffic received clear text. This could allow an unauthenticated, remote attacker to capture sensitive information.
CVE-2024-41687 1 Syrotech 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware 2024-11-21 7.5 High
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to transmission of password in plain text. A remote attacker could exploit this vulnerability by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
CVE-2024-41124 2024-11-21 6.3 Medium
Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in release version 0.21 by using https rather than http connections. All users are advised to upgrade. There is no known workarounds for this vulnerability.
CVE-2024-37393 1 Securenvoy 2 Mfa, Multi-factor Authentication Solutions 2024-11-21 9.8 Critical
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
CVE-2024-37183 2024-11-21 5.7 Medium
Plain text credentials and session ID can be captured with a network sniffer.
CVE-2024-37163 1 Opensourcelabs 1 Skyscraper 2024-11-21 6.4 Medium
SkyScrape is a GUI Dashboard for AWS Infrastructure and Managing Resources and Usage Costs. SkyScrape's API requests are currently unsecured HTTP requests, leading to potential vulnerabilities for the user's temporary credentials and data. This affects version 1.0.0.
CVE-2024-35210 1 Siemens 1 Sinec Traffic Analyzer 2024-11-21 6.5 Medium
A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server is not enforcing HSTS. This could allow an attacker to perform downgrade attacks exposing confidential information.
CVE-2024-35060 2024-11-21 7.5 High
An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file.
CVE-2024-35059 2024-11-21 7.5 High
An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.
CVE-2024-35058 2024-11-21 7.5 High
An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.
CVE-2024-35057 2024-11-21 7.5 High
An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.
CVE-2024-32946 1 Level1 2 Wbr-6012, Wbr-6012 Firmware 2024-11-21 5.9 Medium
A vulnerability in the LevelOne WBR-6012 router's firmware version R0.40e6 allows sensitive information to be transmitted in cleartext via Web and FTP services, exposing it to network sniffing attacks.
CVE-2024-31840 1 Italtel 1 Embrace 2024-11-21 6.5 Medium
An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password.
CVE-2024-31206 2024-11-21 8.2 High
dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `[email protected]`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.
CVE-2024-30209 2024-11-21 9.6 Critical
A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected systems transmit client-side resources without proper cryptographic protection. This could allow an attacker to eavesdrop on and modify resources in transit. A successful exploit requires an attacker to be in the network path between the RTLS Locating Manager server and a client (MitM).
CVE-2024-28275 1 Puwellcloudtech 1 360eyes Pro 2024-11-21 6.5 Medium
Puwell Cloud Tech Co, Ltd 360Eyes Pro v3.9.5.16(3090516) was discovered to transmit sensitive information in cleartext. This vulnerability allows attackers to intercept and access sensitive information, including users' credentials and password change requests.