Total
548 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7960 | 1 Huawei | 2 Espace 7950, Espace 7950 Firmware | 2024-02-04 | 5.8 MEDIUM | 7.4 HIGH |
| There is a SRTP icon display vulnerability in Huawei eSpace product. An unauthenticated, remote attacker launches man-in-the-middle attack to intercept the packets in non-secure transmission mode. Successful exploitation may intercept and tamper with the call information, eventually cause sensitive information leak. | |||||
| CVE-2018-15752 | 1 Mensamax | 1 Mensamax | 2024-02-04 | 4.3 MEDIUM | 8.1 HIGH |
| An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. Cleartext Transmission of Sensitive Information allows man-in-the-middle attackers to eavesdrop authentication information between the application and the server. | |||||
| CVE-2018-1525 | 1 Ibm | 1 I2 Enterprise Insight Analysis | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM i2 Enterprise Insight Analysis 2.1.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 142117. | |||||
| CVE-2018-11050 | 1 Dell | 1 Emc Networker | 2024-02-04 | 3.3 LOW | 8.8 HIGH |
| Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credentials are sent unencrypted to the remote AMQP service. An unauthenticated attacker in the same network collision domain, could potentially sniff the password from the network and use it to access the component using the privileges of the compromised user. | |||||
| CVE-2018-11749 | 1 Puppet | 1 Puppet Enterprise | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score. | |||||
| CVE-2018-18071 | 1 Mercedes-benz | 1 Mercedes Me | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 for iOS. The encrypted Connected Vehicle API data exchange between the app and a server might be intercepted. The app can be used to operate the Remote Parking Pilot, unlock the vehicle, or obtain sensitive information such as latitude, longitude, and direction of travel. | |||||
| CVE-2019-7675 | 1 Mobotix | 2 S14, S14 Firmware | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. The default management application is delivered over cleartext HTTP with Basic Authentication, as demonstrated by the /admin/index.html URI. | |||||
| CVE-2018-18908 | 1 Sky | 1 Sky Go | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requests contain potentially sensitive information that could be useful to an attacker, such as the victim's Sky username. | |||||
| CVE-2018-10634 | 1 Medtronic | 18 Minimed 530g Mmt-551, Minimed 530g Mmt-551 Firmware, Minimed 530g Mmt-751 and 15 more | 2024-02-04 | 2.9 LOW | 5.3 MEDIUM |
| Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G communications between the pump and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers. | |||||
| CVE-2019-5489 | 2 Linux, Netapp | 3 Linux Kernel, Active Iq Performance Analytics Services, Element Software Management Node | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. | |||||
| CVE-2018-8842 | 1 Philips | 1 E-alert Firmware | 2024-02-04 | 3.3 LOW | 8.8 HIGH |
| Philips e-Alert Unit (non-medical device), Version R2.1 and prior. The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The Philips e-Alert communication channel is not encrypted which could therefore lead to disclosure of personal contact information and application login credentials from within the same subnet. | |||||
| CVE-2018-12674 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2024-02-04 | 2.9 LOW | 5.7 MEDIUM |
| The SV3C HD Camera (L-SERIES V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B) stores the username and password within the cookies of a session. If an attacker gained access to these session cookies, it would be possible to gain access to the username and password of the logged-in account. | |||||
| CVE-2018-12710 | 1 Dlink | 2 Dir-601, Dir-601 Firmware | 2024-02-04 | 2.7 LOW | 8.0 HIGH |
| An issue was discovered on D-Link DIR-601 2.02NA devices. Being local to the network and having only "User" account (which is a low privilege account) access, an attacker can intercept the response from a POST request to obtain "Admin" rights due to the admin password being displayed in XML. | |||||
| CVE-2018-5401 | 2 Arm, Auto-maskin | 6 Arm7, Dcu 210e, Dcu 210e Firmware and 3 more | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The devices transmit process control information via unencrypted Modbus communications. Impact: An attacker can exploit this vulnerability to observe information about configurations, settings, what sensors are present and in use, and other information to aid in crafting spoofed messages. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7. | |||||
| CVE-2018-16225 | 2 Qbeecam, Swisscom | 4 Qbee Multi-sensor Camera, Qbee Multi-sensor Camera Firmware, Qbeecam and 1 more | 2024-02-04 | 6.1 MEDIUM | 6.5 MEDIUM |
| The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network traffic from clients (such as the QBee Cam application through 1.0.5 for Android and the Swisscom Home application up to 10.7.2 for Android), which results in an attacker being able to reuse cookies to bypass authentication and disable the camera. | |||||
| CVE-2018-17195 | 1 Apache | 1 Nifi | 2024-02-04 | 5.1 MEDIUM | 7.5 HIGH |
| The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | |||||
| CVE-2018-14627 | 1 Redhat | 1 Wildfly | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/> | |||||
| CVE-2018-19111 | 1 Google | 1 Cardboard | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Google Cardboard application 1.8 for Android and 1.2 for iOS sends potentially private cleartext information to the Unity 3D Stats web site, as demonstrated by device make, model, and OS. | |||||
| CVE-2018-8855 | 1 Echelon | 8 I.lon 100, I.lon 100 Firmware, I.lon 600 and 5 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP. | |||||
| CVE-2018-13140 | 3 Druide, Linux, Microsoft | 3 Antidote 9, Linux Kernel, Windows | 2024-02-04 | 9.3 HIGH | 8.1 HIGH |
| Druide Antidote through 9.5.1 on Windows and Linux allows remote code execution through the update mechanism by leveraging use of HTTP to download installation packages. | |||||