Total
736 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2017-8851 | 1 Oneplus | 3 Oneplus One, Oneplus X, Oxygenos | 2025-04-20 | N/A |
An issue was discovered on OnePlus One and X devices. Due to a lenient updater-script on the OnePlus One and X OTA images, the fact that both products use the same OTA verification keys, and the fact that both products share the same 'ro.build.product' system property, attackers can install OTAs of one product over the other, even on locked bootloaders. That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use 'adb sideload' to push the OTA. | ||||
CVE-2017-9035 | 1 Trendmicro | 1 Serverprotect | 2025-04-20 | 7.4 High |
Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attackers to eavesdrop and tamper with updates by leveraging unencrypted communications with update servers. | ||||
CVE-2017-3305 | 3 Debian, Oracle, Redhat | 3 Debian Linux, Mysql, Rhel Software Collections | 2025-04-20 | N/A |
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API). Supported versions that are affected are 5.5.55 and earlier and 5.6.35 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue allows man-in-the-middle attackers to hijack the authentication of users by leveraging incorrect ordering of security parameter verification in a client, aka, "The Riddle". | ||||
CVE-2017-2412 | 1 Apple | 1 Iphone Os | 2025-04-20 | N/A |
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "iTunes Store" component. It allows man-in-the-middle attackers to modify the client-server data stream to iTunes sandbox web services by leveraging use of cleartext HTTP. | ||||
CVE-2015-5152 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Foreman | 2025-04-20 | N/A |
Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. | ||||
CVE-2017-17844 | 2 Debian, Enigmail | 2 Debian Linux, Enigmail | 2025-04-20 | N/A |
An issue was discovered in Enigmail before 1.9.9. A remote attacker can obtain cleartext content by sending an encrypted data block (that the attacker cannot directly decrypt) to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text, aka the TBE-01-005 "replay" issue. | ||||
CVE-2017-1694 | 1 Ibm | 1 Integration Bus | 2025-04-20 | N/A |
IBM Integration Bus 9.0 and 10.0 transmits user credentials in plain in clear text which can be read by an attacker using man in the middle techniques. IBM X-Force ID: 134165. | ||||
CVE-2014-8174 | 1 Redhat | 1 Edeploy | 2025-04-20 | N/A |
eDeploy makes it easier for remote attackers to execute arbitrary code by leveraging use of HTTP to download files. | ||||
CVE-2017-15999 | 1 Nq | 1 Contacts Backup \& Restore | 2025-04-20 | N/A |
In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required. | ||||
CVE-2017-15290 | 1 Mirasys | 1 Video Management System | 2025-04-20 | N/A |
Mirasys Video Management System (VMS) 6.x before 6.4.6, 7.x before 7.5.15, and 8.x before 8.1.1 has a login process in which cleartext data is sent from a server to a client, and not all of this data is required for the client functionality. | ||||
CVE-2017-15042 | 2 Golang, Redhat | 3 Go, Devtools, Enterprise Linux | 2025-04-20 | N/A |
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password. | ||||
CVE-2017-14486 | 1 Vibease | 2 Chat, Wireless Remote Vibrator | 2025-04-20 | N/A |
The Vibease Wireless Remote Vibrator app for Android and the Vibease Chat app for iOS use cleartext to exchange messages with other apps and the PLAIN SASL mechanism to send auth tokens to Vibease servers, which allows remote attackers to obtain user credentials, messages, and other sensitive information by sniffing the network for XMPP traffic. | ||||
CVE-2017-14009 | 1 Prominent | 2 Multiflex M10a Controller, Multiflex M10a Controller Firmware | 2025-04-20 | N/A |
An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password. | ||||
CVE-2023-34829 | 1 Tp-link | 1 Tapo | 2025-04-17 | 6.5 Medium |
Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext. | ||||
CVE-2023-31300 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2025-04-17 | 7.5 High |
An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via transmission of unencrypted, cleartext credentials during Password Reset feature. | ||||
CVE-2025-43704 | 2025-04-17 | 4.7 Medium | ||
Arctera/Veritas Data Insight before 7.1.2 can send cleartext credentials when configured to use HTTP Basic Authentication to a Dell Isilon OneFS server. | ||||
CVE-2020-4497 | 1 Ibm | 1 Spectrum Protect Plus | 2025-04-17 | 6.8 Medium |
IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques. IBM X-Force ID: 182106. | ||||
CVE-2022-42454 | 1 Hcltechsw | 1 Bigfix Insights For Vulnerability Remediation | 2025-04-16 | 6.4 Medium |
Insights for Vulnerability Remediation (IVR) is vulnerable to man-in-the-middle attacks that may lead to information disclosure. This requires privileged network access. | ||||
CVE-2022-21798 | 1 Ge | 1 Cimplicity | 2025-04-16 | 7.5 High |
The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system. | ||||
CVE-2020-25178 | 3 Rockwellautomation, Schneider-electric, Xylem | 31 Aadvance Controller, Isagraf Free Runtime, Isagraf Runtime and 28 more | 2025-04-16 | 7.5 High |
ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP. This communication protocol provides various file system operations, as well as the uploading of applications. Data is transferred over this protocol unencrypted, which could allow a remote unauthenticated attacker to upload, read, and delete files. |