| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the communication to the web service is unencrypted via http. An attacker is able to intercept and sniff communication to the web service. |
| In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components. |
| The Nulock application 1.5.0 for mobile devices sends a cleartext password over Bluetooth, which allows remote attackers (after sniffing the network) to take control of the lock. |
| Unencrypted HTTP communications for firmware upgrades in Petalk AI and PF-103 allow man-in-the-middle attackers to run arbitrary code as the root user. |
| An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Sensitive Credentials data is transmitted in cleartext. |
| Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations. |
| Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure. |
| DTEN D5 before 1.3 and D7 before 1.3 devices transfer customer data files via unencrypted HTTP. |
| Brocade SANnav versions before v2.0, logs plain text database connection password while triggering support save. |
| The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the ‘trace’ and the 'debug' logging level; which could allow a local authenticated attacker to access sensitive information. |
| NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over HTTP for enforcing access control to the web application. The use of weak authentication transmitted over cleartext protocols can allow an attacker to steal username and password combinations by intercepting authentication traffic in transit. |
| NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data rendered within web pages. It is possible for an attacker to expose unencrypted sensitive data. |
| NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data stored within the SQL database. It is possible for an attacker to expose unencrypted sensitive data. |
| In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command. |
| An issue was discovered on ASUS HG100, MW100, WS-101, TS-101, AS-101, MS-101, DL-101 devices using ZigBee PRO. Because of insecure key transport in ZigBee communication, attackers can obtain sensitive information, cause the multiple denial of service attacks, take over smart home devices, and tamper with messages. |
| A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway. |
| Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via an insecure authentication mechanism. The HTML source code of the login page contains values that allow obtaining the username and password. The username are password values are a double md5 of the plaintext real value, i.e., md5(md5(value)). |
| An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box. |
| The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability. |
| In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7. |
