ReportizFlow
Filtered by vendor
Subscriptions
Total
685 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-16041 | 1 Ikst Project | 1 Ikst | 2024-11-21 | N/A |
| ikst versions before 1.1.2 download resources over HTTP, which leaves it vulnerable to MITM attacks. | ||||
| CVE-2017-16040 | 1 Gfe-sass Project | 1 Gfe-sass | 2024-11-21 | N/A |
| gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. | ||||
| CVE-2017-16035 | 1 Hubspot | 1 Hubl-server | 2024-11-21 | N/A |
| The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation. | ||||
| CVE-2017-15999 | 1 Nq | 1 Contacts Backup \& Restore | 2024-11-21 | N/A |
| In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required. | ||||
| CVE-2017-15290 | 1 Mirasys | 1 Video Management System | 2024-11-21 | N/A |
| Mirasys Video Management System (VMS) 6.x before 6.4.6, 7.x before 7.5.15, and 8.x before 8.1.1 has a login process in which cleartext data is sent from a server to a client, and not all of this data is required for the client functionality. | ||||
| CVE-2017-15042 | 2 Golang, Redhat | 3 Go, Devtools, Enterprise Linux | 2024-11-21 | N/A |
| An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password. | ||||
| CVE-2017-14486 | 1 Vibease | 2 Chat, Wireless Remote Vibrator | 2024-11-21 | N/A |
| The Vibease Wireless Remote Vibrator app for Android and the Vibease Chat app for iOS use cleartext to exchange messages with other apps and the PLAIN SASL mechanism to send auth tokens to Vibease servers, which allows remote attackers to obtain user credentials, messages, and other sensitive information by sniffing the network for XMPP traffic. | ||||
| CVE-2017-14009 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2024-11-21 | N/A |
| An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password. | ||||
| CVE-2017-12716 | 1 Abbott | 8 Accent, Accent Firmware, Accent Mri and 5 more | 2024-11-21 | N/A |
| Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption. CVSS v3 base score: 3.1, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. Abbott has developed a firmware update to help mitigate the identified vulnerabilities. | ||||
| CVE-2017-11103 | 5 Apple, Debian, Freebsd and 2 more | 6 Iphone Os, Mac Os X, Debian Linux and 3 more | 2024-11-21 | 8.1 High |
| Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. | ||||
| CVE-2017-1000024 | 1 Gnome | 1 Shotwell | 2024-11-21 | N/A |
| Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable to an information disclosure in the web publishing plugins resulting in potential password and oauth token plaintext transmission | ||||
| CVE-2017-0925 | 2 Debian, Gitlab | 2 Debian Linux, Gitlab | 2024-11-21 | N/A |
| Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password. | ||||
| CVE-2016-5649 | 1 Netgear | 4 Dgn2200, Dgn2200 Firmware, Dgnd3700 and 1 more | 2024-11-21 | N/A |
| A vulnerability is in the 'BSW_cxttongr.htm' page of the Netgear DGN2200, version DGN2200-V1.0.0.50_7.0.50, and DGND3700, version DGND3700-V1.0.0.17_1.0.17, which can allow a remote attacker to access this page without any authentication. When processed, it exposes the admin password in clear text before it gets redirected to absw_vfysucc.cgia. An attacker can use this password to gain administrator access to the targeted router's web interface. | ||||
| CVE-2016-5638 | 1 Netgear | 2 Wndr4500, Wndr4500 Firmware | 2024-11-21 | N/A |
| There are few web pages associated with the genie app on the Netgear WNDR4500 running firmware version V1.0.1.40_1.0.6877. Genie app adds some capabilities over the Web GUI and can be accessed even when you are away from home. A remote attacker can access genie_ping.htm or genie_ping2.htm or genie_ping3.htm page without authentication. Once accessed, the page will be redirected to the aCongratulations2.htma page, which reveals some sensitive information such as 2.4GHz & 5GHz Wireless Network Name (SSID) and Network Key (Password) in clear text. | ||||
| CVE-2016-5597 | 2 Oracle, Redhat | 6 Jdk, Jre, Enterprise Linux and 3 more | 2024-11-21 | N/A |
| Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect confidentiality via vectors related to Networking. | ||||
| CVE-2015-7542 | 3 Aquamaniac, Debian, Opensuse | 3 Gwenhywfar, Debian Linux, Leap | 2024-11-21 | 5.3 Medium |
| A vulnerability exists in libgwenhywfar through 4.12.0 due to the usage of outdated bundled CA certificates. | ||||
| CVE-2015-5152 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Foreman | 2024-11-21 | N/A |
| Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. | ||||
| CVE-2015-0834 | 3 Canonical, Mozilla, Opensuse | 3 Ubuntu Linux, Firefox, Opensuse | 2024-11-21 | N/A |
| The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: and stuns: URIs but accesses the TURN or STUN server without using TLS, which makes it easier for man-in-the-middle attackers to discover credentials by spoofing a server and completing a brute-force attack within a short time window. | ||||
| CVE-2014-8174 | 1 Redhat | 1 Edeploy | 2024-11-21 | N/A |
| eDeploy makes it easier for remote attackers to execute arbitrary code by leveraging use of HTTP to download files. | ||||
| CVE-2014-5380 | 1 Granding | 2 Grand Ma300, Grand Ma300 Firmware | 2024-11-21 | 7.5 High |
| Grand MA 300 allows retrieval of the access PIN from sniffed data. | ||||