Total
312 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18980 | 1 Philips | 2 Taolight Smart Wi-fi Wiz Connected Led Bulb 9290022656, Taolight Smart Wi-fi Wiz Connected Led Bulb 9290022656 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The only requirement is that the attacker have network access to the bulb. | |||||
| CVE-2019-18833 | 1 Barco | 2 Clickshare Button R9861500d01, Clickshare Button R9861500d01 Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Information exposure (issue 2 of 2).. The encryption key of the media content which is shared between a ClickShare Button and a ClickShare Base Unit is randomly generated for each new session and communicated over a TLS connection. An attacker who is able to perform a Man-in-the-Middle attack between the TLS connection, is able to obtain the encryption key. | |||||
| CVE-2019-18800 | 1 Rakuten | 1 Viber | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 20 bytes of udid in a binary format, which is located at offset 0x14 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS. | |||||
| CVE-2019-18376 | 1 Symantec | 1 Management Center | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center (MC) user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC. | |||||
| CVE-2019-18201 | 1 Fujitsu | 2 Lx390, Lx390 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, an attacker is able to eavesdrop on sensitive data such as passwords. | |||||
| CVE-2019-17218 | 1 Vzug | 2 Combi-stream Mslq, Combi-stream Mslq Firmware | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
| An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the communication to the web service is unencrypted via http. An attacker is able to intercept and sniff communication to the web service. | |||||
| CVE-2019-16274 | 1 Dten | 4 D5, D5 Firmware, D7 and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| DTEN D5 before 1.3 and D7 before 1.3 devices transfer customer data files via unencrypted HTTP. | |||||
| CVE-2019-16206 | 1 Broadcom | 1 Brocade Sannav | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| The authentication mechanism, in Brocade SANnav versions before v2.0, logs plaintext account credentials at the ‘trace’ and the 'debug' logging level; which could allow a local authenticated attacker to access sensitive information. | |||||
| CVE-2019-16063 | 1 Netsas | 1 Enigma Network Management Solution | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data rendered within web pages. It is possible for an attacker to expose unencrypted sensitive data. | |||||
| CVE-2019-16062 | 1 Netsas | 1 Enigma Network Management Solution | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data stored within the SQL database. It is possible for an attacker to expose unencrypted sensitive data. | |||||
| CVE-2019-15704 | 1 Fortinet | 1 Forticlient | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway. | |||||
| CVE-2019-14959 | 1 Jetbrains | 1 Toolbox | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection. | |||||
| CVE-2019-14954 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection. | |||||
| CVE-2019-14317 | 1 Wolfssl | 1 Wolfssl | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to compute the long term private key from several hundred DSA signatures via a lattice attack. The issue occurs because dsa.c fixes two bits of the generated nonces. | |||||
| CVE-2019-13922 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). An attacker with administrative privileges can obtain the hash of a connected device's password. The security vulnerability could be exploited by an attacker with network access to the SINEMA Remote Connect Server and administrative privileges. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2019-12924 | 1 Mailenable | 1 Mailenable | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users). | |||||
| CVE-2019-12121 | 1 Onap | 1 Open Network Automation Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was detected in ONAP Portal through Dublin. By executing a padding oracle attack using the ONAPPORTAL/processSingleSignOn UserId field, an attacker is able to decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected. | |||||
| CVE-2019-11836 | 1 Rediff | 1 Rediffmail | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout. | |||||
| CVE-2019-11523 | 1 Anviz | 2 M3, M3 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address). | |||||
| CVE-2019-11405 | 1 Openapi-generator | 1 Openapi Generator | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| OpenAPI Tools OpenAPI Generator before 4.0.0-20190419.052012-560 uses http:// URLs in various build.gradle, build.gradle.mustache, and build.sbt files, which may have caused insecurely resolved dependencies. | |||||