Total
492 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-7485 | 2 Postgresql, Redhat | 3 Postgresql, Network Satellite, Rhel Software Collections | 2025-04-20 | N/A |
| In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. | ||||
| CVE-2017-17763 | 1 Liveqos | 1 Superbeam | 2025-04-20 | 7.5 High |
| SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share feature, does not use HTTPS or any integrity-protection mechanism for file transfer, which makes it easier for remote attackers to send crafted files, as demonstrated by APK injection. | ||||
| CVE-2017-15609 | 1 Octopus | 1 Octopus Deploy | 2025-04-20 | N/A |
| Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets. | ||||
| CVE-2022-41627 | 1 Alivecor | 6 Kardiamobile, Kardiamobile 6l, Kardiamobile 6l Firmware and 3 more | 2025-04-16 | 4.8 Medium |
| The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves. | ||||
| CVE-2021-21963 | 1 Sealevel | 2 Seaconnect 370w, Seaconnect 370w Firmware | 2025-04-15 | 5.9 Medium |
| An information disclosure vulnerability exists in the Web Server functionality of Sealevel Systems, Inc. SeaConnect 370W v1.3.34. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | ||||
| CVE-2025-1688 | 1 Milestone Systems | 1 Xprotect Vms | 2025-04-15 | 5.5 Medium |
| Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected. | ||||
| CVE-2022-38658 | 2 Hcltech, Microsoft | 2 Bigfix Server Automation, Windows | 2025-04-15 | 7.7 High |
| BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed. | ||||
| CVE-2022-4409 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-04-14 | 7.5 High |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | ||||
| CVE-2021-4239 | 1 Noiseprotocol | 1 Noise | 2025-04-14 | 7.5 High |
| The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages. | ||||
| CVE-2022-38194 | 1 Esri | 1 Portal For Arcgis | 2025-04-10 | 6.7 Medium |
| In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file. | ||||
| CVE-2022-4683 | 1 Usememos | 1 Memos | 2025-04-09 | 6.5 Medium |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. | ||||
| CVE-2007-4961 | 1 Lindenlab | 1 Second Life | 2025-04-09 | 7.5 High |
| The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd field, which allows remote attackers to login to an account by sniffing the network and then sending this hash to a Second Life authentication server. | ||||
| CVE-2024-23444 | 1 Elastic | 1 Elasticsearch | 2025-04-04 | 4.9 Medium |
| It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation. | ||||
| CVE-2023-37405 | 1 Ibm | 1 Cloud Pak System | 2025-03-28 | 6.5 Medium |
| IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, and 2.3.4.1 stores sensitive data in memory, that could be obtained by an unauthorized user. | ||||
| CVE-2025-29314 | 2025-03-27 | 8.1 High | ||
| Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack. | ||||
| CVE-2022-47715 | 1 Lastyard | 1 Last Yard | 2025-03-27 | 5.3 Medium |
| In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic. | ||||
| CVE-2023-0690 | 1 Hashicorp | 1 Boundary | 2025-03-24 | 5 Medium |
| HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. | ||||
| CVE-2022-21940 | 1 Johnsoncontrols | 1 Metasys System Configuration Tool | 2025-03-24 | 7.5 High |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. | ||||
| CVE-2024-23942 | 2025-03-18 | 7.1 High | ||
| A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS. | ||||
| CVE-2022-38458 | 1 Netgear | 2 Rbs750, Rbs750 Firmware | 2025-02-26 | 6.5 Medium |
| A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. | ||||