Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-15581

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-27 Oct, 2017 | 20:00
Updated At-05 Aug, 2024 | 19:57
Rejected At-
Credits

In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of ... secrets and feelings," which allows remote attackers to obtain sensitive information by sniffing the network during LoginActivity or NoteActivity execution.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:27 Oct, 2017 | 20:00
Updated At:05 Aug, 2024 | 19:57
Rejected At:
▼CVE Numbering Authority (CNA)

In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of ... secrets and feelings," which allows remote attackers to obtain sensitive information by sniffing the network during LoginActivity or NoteActivity execution.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.html
x_refsource_MISC
https://gist.github.com/anonymous/603b89f864a71426042b167cab557efa
x_refsource_MISC
Hyperlink: https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.html
Resource:
x_refsource_MISC
Hyperlink: https://gist.github.com/anonymous/603b89f864a71426042b167cab557efa
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.html
x_refsource_MISC
x_transferred
https://gist.github.com/anonymous/603b89f864a71426042b167cab557efa
x_refsource_MISC
x_transferred
Hyperlink: https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.html
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://gist.github.com/anonymous/603b89f864a71426042b167cab557efa
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:27 Oct, 2017 | 20:29
Updated At:20 Apr, 2025 | 01:37

In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of ... secrets and feelings," which allows remote attackers to obtain sensitive information by sniffing the network during LoginActivity or NoteActivity execution.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches
writediary
writediary
>>diary_with_lock>>4.72
cpe:2.3:a:writediary:diary_with_lock:4.72:*:*:*:*:android:*:*
Weaknesses
CWE IDTypeSource
CWE-311Primarynvd@nist.gov
CWE ID: CWE-311
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.htmlcve@mitre.org
Issue Tracking
Third Party Advisory
https://gist.github.com/anonymous/603b89f864a71426042b167cab557efacve@mitre.org
Issue Tracking
Third Party Advisory
https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.htmlaf854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Third Party Advisory
https://gist.github.com/anonymous/603b89f864a71426042b167cab557efaaf854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Third Party Advisory
Hyperlink: https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.html
Source: cve@mitre.org
Resource:
Issue Tracking
Third Party Advisory
Hyperlink: https://gist.github.com/anonymous/603b89f864a71426042b167cab557efa
Source: cve@mitre.org
Resource:
Issue Tracking
Third Party Advisory
Hyperlink: https://1337sec.blogspot.de/2017/10/auditing-writediarycom-cve-2017-15581.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Third Party Advisory
Hyperlink: https://gist.github.com/anonymous/603b89f864a71426042b167cab557efa
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

60Records found
CVE-2017-9604
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.26% / 49.48%
||
7 Day CHG~0.00%
Published-13 Jun, 2017 | 13:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network.

Action-Not Available
Vendor-n/aKDE
Product-kmailmessagelibkden/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2017-9632
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 20.96%
||
7 Day CHG~0.00%
Published-07 Aug, 2017 | 08:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Missing Encryption of Sensitive Data issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem, all versions, ProTouch ICON, all versions, and ProTouch AutoGloss, all versions. The username and password are transmitted insecurely.

Action-Not Available
Vendor-pdqincn/a
Product-laserwash_m5laserwash_autoxpressprotouch_iconprotouch_autoglosslaserwash_autoxpress_pluslaserwash_autoxpress_plus_firmwarelaserwash_g5_s_firmwareprotouch_icon_firmwarelaserwash_g5_firmwareprotouch_tandemlaserwash_g5laserjet_firmwarelaserwash_m5_firmwarelaserwash_360laserwash_autoxpress_firmwareprotouch_tandem_firmwareprotouch_autogloss_firmwarelaserwash_360_firmwarelaserwash_360_plus_firmwarelaserwash_360_pluslaserjetlaserwash_g5_sPDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2017-8221
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-19.07% / 95.10%
||
7 Day CHG~0.00%
Published-25 Apr, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.

Action-Not Available
Vendor-wificamn/a
Product-wireless_ip_camera_\(p2p\)wireless_ip_camera_\(p2p\)_firmwaren/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2017-7406
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.10% / 28.60%
||
7 Day CHG~0.00%
Published-07 Jul, 2017 | 12:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The D-Link DIR-615 device before v20.12PTb04 doesn't use SSL for any of the authenticated pages. Also, it doesn't allow the user to generate his own SSL Certificate. An attacker can simply monitor network traffic to steal a user's credentials and/or credentials of users being added while sniffing the traffic.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-615n/a
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2021-37189
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.19% / 40.67%
||
7 Day CHG~0.00%
Published-10 Dec, 2021 | 12:47
Updated-04 Aug, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.

Action-Not Available
Vendor-digin/a
Product-transport_wr31_firmwaretransport_wr11_firmwaretransport_wr21_firmwaretransport_wr11_xttransport_wr11transport_wr41_firmwaretransport_wr11_xt_firmwaretransport_wr31transport_wr44_firmwaretransport_wr41transport_wr44transport_wr21n/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2021-35236
Matching Score-4
Assigner-SolarWinds
ShareView Details
Matching Score-4
Assigner-SolarWinds
CVSS Score-3.1||LOW
EPSS-0.50% / 64.83%
||
7 Day CHG~0.00%
Published-27 Oct, 2021 | 00:57
Updated-16 Sep, 2024 | 21:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Secure Flag From SSL Cookie

The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-kiwi_syslog_serverKiwi Syslog Server
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2017-15609
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.19%
||
7 Day CHG~0.00%
Published-19 Oct, 2017 | 08:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.

Action-Not Available
Vendor-n/aOctopus Deploy Pty. Ltd.
Product-octopus_deployn/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2021-29248
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 32.81%
||
7 Day CHG~0.00%
Published-05 May, 2021 | 12:25
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie.

Action-Not Available
Vendor-btcpayservern/a
Product-btcpay_servern/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2020-9774
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.15% / 36.25%
||
7 Day CHG~0.00%
Published-27 Oct, 2020 | 20:12
Updated-04 Aug, 2024 | 10:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue existed with Siri Suggestions access to encrypted data. The issue was fixed by limiting access to encrypted data. This issue is fixed in macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra. Encrypted data may be inappropriately accessed.

Action-Not Available
Vendor-Apple Inc.
Product-mac_os_xmacOS
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2017-9854
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.17% / 38.86%
||
7 Day CHG~0.00%
Published-05 Aug, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SMA Solar Technology products. By sniffing for specific packets on the localhost, plaintext passwords can be obtained as they are typed into Sunny Explorer by the user. These passwords can then be used to compromise the overall device. NOTE: the vendor reports that exploitation likelihood is low because these packets are usually sent only once during installation. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected

Action-Not Available
Vendor-sman/a
Product-sunny_central_storage_800sunny_central_630cp_xt_firmwaresunny_boy_5000tlsunny_boy_5.0_firmwaresunny_boy_3600sunny_boy_3600tlsunny_boy_3.0_firmwaresunny_central_storage_800_firmwaresunny_central_800cp_xt_firmwaresunny_tripower_25000tlsunny_boy_3600_firmwaresunny_central_720cp_xt_firmwaresunny_central_storage_500sunny_tripower_25000tl_firmwaresunny_central_2200_firmwaresunny_tripower_5000tlsunny_tripower_20000tl_firmwaresunny_central_storage_850sunny_central_storage_900_firmwaresunny_tripower_15000tl_firmwaresunny_central_storage_720_firmwaresunny_tripower_12000tlsunny_central_storage_2200sunny_tripower_60_firmwaresunny_central_760cp_xtsunny_boy_4.0_firmwaresunny_central_storage_2500-evsunny_central_850cp_xt_firmwaresunny_central_500cp_xt_firmwaresunny_boy_5000sunny_boy_1.5sunny_central_800cp_xtsunny_central_storage_1000_firmwaresunny_tripower_20000tlsunny_central_storage_2200_firmwaresunny_central_storage_850_firmwaresunny_central_storage_630_firmwaresunny_central_storage_760_firmwaresunny_boy_3.6sunny_central_storage_630sunny_central_500cp_xtsunny_tripower_core1_firmwaresunny_central_720cp_xtsunny_tripower_core1sunny_central_storage_500_firmwaresunny_boy_4000tlsunny_central_630cp_xtsunny_boy_3600tl_firmwaresunny_boy_4.0sunny_boy_2.5sunny_central_storage_760sunny_central_760cp_xt_firmwaresunny_tripower_15000tlsunny_boy_storage_2.5sunny_boy_5000_firmwaresunny_central_storage_900sunny_boy_1.5_firmwaresunny_boy_3000tlsunny_boy_2.5_firmwaresunny_boy_4000tl_firmwaresunny_central_storage_1000sunny_boy_storage_2.5_firmwaresunny_tripower_5000tl_firmwaresunny_tripower_60sunny_central_900cp_xt_firmwaresunny_boy_5000tl_firmwaresunny_central_storage_2500-ev_firmwaresunny_central_2200sunny_boy_3.0sunny_central_1000cp_xt_firmwaresunny_central_storage_720sunny_boy_5.0sunny_boy_3.6_firmwaresunny_central_850cp_xtsunny_central_900cp_xtsunny_tripower_12000tl_firmwaresunny_boy_3000tl_firmwaresunny_central_1000cp_xtn/a
CWE ID-CWE-311
Missing Encryption of Sensitive Data
  • Previous
  • 1
  • 2
  • Next
Details not found