Vulnerabilities (CVE)

Filtered by CWE-311
Total 312 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-18980 1 Philips 2 Taolight Smart Wi-fi Wiz Connected Led Bulb 9290022656, Taolight Smart Wi-fi Wiz Connected Led Bulb 9290022656 Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The only requirement is that the attacker have network access to the bulb.
CVE-2019-18833 1 Barco 2 Clickshare Button R9861500d01, Clickshare Button R9861500d01 Firmware 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Information exposure (issue 2 of 2).. The encryption key of the media content which is shared between a ClickShare Button and a ClickShare Base Unit is randomly generated for each new session and communicated over a TLS connection. An attacker who is able to perform a Man-in-the-Middle attack between the TLS connection, is able to obtain the encryption key.
CVE-2019-18800 1 Rakuten 1 Viber 2024-11-21 4.3 MEDIUM 8.8 HIGH
Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 20 bytes of udid in a binary format, which is located at offset 0x14 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS.
CVE-2019-18376 1 Symantec 1 Management Center 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.
CVE-2019-18201 1 Fujitsu 2 Lx390, Lx390 Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, an attacker is able to eavesdrop on sensitive data such as passwords.
CVE-2019-17218 1 Vzug 2 Combi-stream Mslq, Combi-stream Mslq Firmware 2024-11-21 5.0 MEDIUM 9.1 CRITICAL
An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the communication to the web service is unencrypted via http. An attacker is able to intercept and sniff communication to the web service.
CVE-2019-16274 1 Dten 4 D5, D5 Firmware, D7 and 1 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
DTEN D5 before 1.3 and D7 before 1.3 devices transfer customer data files via unencrypted HTTP.
CVE-2019-16206 1 Broadcom 1 Brocade Sannav 2024-11-21 2.1 LOW 5.5 MEDIUM
The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the ‘trace’ and the 'debug' logging level; which could allow a local authenticated attacker to access sensitive information.
CVE-2019-16063 1 Netsas 1 Enigma Network Management Solution 2024-11-21 5.0 MEDIUM 7.5 HIGH
NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data rendered within web pages. It is possible for an attacker to expose unencrypted sensitive data.
CVE-2019-16062 1 Netsas 1 Enigma Network Management Solution 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data stored within the SQL database. It is possible for an attacker to expose unencrypted sensitive data.
CVE-2019-15704 1 Fortinet 1 Forticlient 2024-11-21 2.1 LOW 5.5 MEDIUM
A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway.
CVE-2019-14959 1 Jetbrains 1 Toolbox 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection.
CVE-2019-14954 1 Jetbrains 1 Intellij Idea 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.
CVE-2019-14317 1 Wolfssl 1 Wolfssl 2024-11-21 4.3 MEDIUM 5.3 MEDIUM
wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to compute the long term private key from several hundred DSA signatures via a lattice attack. The issue occurs because dsa.c fixes two bits of the generated nonces.
CVE-2019-13922 1 Siemens 1 Sinema Remote Connect Server 2024-11-21 4.0 MEDIUM 2.7 LOW
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). An attacker with administrative privileges can obtain the hash of a connected device's password. The security vulnerability could be exploited by an attacker with network access to the SINEMA Remote Connect Server and administrative privileges. At the time of advisory publication no public exploitation of this security vulnerability was known.
CVE-2019-12924 1 Mailenable 1 Mailenable 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).
CVE-2019-12121 1 Onap 1 Open Network Automation Platform 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was detected in ONAP Portal through Dublin. By executing a padding oracle attack using the ONAPPORTAL/processSingleSignOn UserId field, an attacker is able to decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.
CVE-2019-11836 1 Rediff 1 Rediffmail 2024-11-21 2.1 LOW 4.6 MEDIUM
The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout.
CVE-2019-11523 1 Anviz 2 M3, M3 Firmware 2024-11-21 7.5 HIGH 9.8 CRITICAL
Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).
CVE-2019-11405 1 Openapi-generator 1 Openapi Generator 2024-11-21 5.8 MEDIUM 8.1 HIGH
OpenAPI Tools OpenAPI Generator before 4.0.0-20190419.052012-560 uses http:// URLs in various build.gradle, build.gradle.mustache, and build.sbt files, which may have caused insecurely resolved dependencies.