Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-6370

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-17 Mar, 2017 | 17:00
Updated At-05 Aug, 2024 | 15:25
Rejected At-
Credits

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:17 Mar, 2017 | 17:00
Updated At:05 Aug, 2024 | 15:25
Rejected At:
▼CVE Numbering Authority (CNA)

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/97071
vdb-entry
x_refsource_BID
https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request
x_refsource_MISC
Hyperlink: http://www.securityfocus.com/bid/97071
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/97071
vdb-entry
x_refsource_BID
x_transferred
https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request
x_refsource_MISC
x_transferred
Hyperlink: http://www.securityfocus.com/bid/97071
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:17 Mar, 2017 | 17:59
Updated At:20 Apr, 2025 | 01:37

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.05.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Type: Primary
Version: 3.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CPE Matches
TYPO3 Association
typo3
>>typo3>>7.6.15
cpe:2.3:a:typo3:typo3:7.6.15:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-319Primarynvd@nist.gov
CWE ID: CWE-319
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.securityfocus.com/bid/97071cve@mitre.org
N/A
https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Requestcve@mitre.org
Exploit
Third Party Advisory
http://www.securityfocus.com/bid/97071af854a3a-2127-422b-91ae-364da2661108
N/A
https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Requestaf854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: http://www.securityfocus.com/bid/97071
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
Hyperlink: http://www.securityfocus.com/bid/97071
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://github.com/faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

181Records found
CVE-2012-5890
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.32% / 54.33%
||
7 Day CHG~0.00%
Published-17 Nov, 2012 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Front End User Registration (sr_feuser_register) extension before 2.6.2 for TYPO3 allows remote attackers to obtain user names and passwords via the (1) edit perspective or (2) autologin feature.

Action-Not Available
Vendor-stanislas_rollandn/aTYPO3 Association
Product-sr_feuser_registertypo3n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-1607
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-0.70% / 71.09%
||
7 Day CHG~0.00%
Published-04 Sep, 2012 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-1078
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.36% / 57.21%
||
7 Day CHG~0.00%
Published-14 Feb, 2012 | 17:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The System Utilities (sysutils) extension 1.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unspecified vectors related to improper "protection" of the "backup output directory."

Action-Not Available
Vendor-claus_duen/aTYPO3 Association
Product-typo3sysutilsn/a
CVE-2006-0327
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-1.45% / 79.95%
||
7 Day CHG~0.00%
Published-21 Jan, 2006 | 00:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to (1) thumbs.php, (2) showpic.php, or (3) tables.php, which causes them to incorrectly define a variable and reveal the path in an error message when a require function call fails.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3n/a
CVE-2010-3673
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 62.97%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 19:32
Updated-07 Aug, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TYPO3 before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows information disclosure in the mail header of the HTML mailing API.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2010-3666
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 54.85%
||
7 Day CHG~0.00%
Published-04 Nov, 2019 | 21:27
Updated-07 Aug, 2024 | 03:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness in the uniqid function.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3n/a
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2010-1007
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.25% / 48.19%
||
7 Day CHG~0.00%
Published-19 Mar, 2010 | 18:35
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Power Extension Manager (ch_lightem) extension 1.0.34 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

Action-Not Available
Vendor-chi_hoangn/aTYPO3 Association
Product-ch_lightemtypo3n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2009-4951
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.25% / 48.19%
||
7 Day CHG~0.00%
Published-22 Jul, 2010 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the ClickStream Analyzer [output] (alternet_csa_out) extension 0.3.0 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

Action-Not Available
Vendor-hans_olthoffn/aTYPO3 Association
Product-typo3alternet_csa_outn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2010-0336
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.25% / 48.19%
||
7 Day CHG~0.00%
Published-15 Jan, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the kiddog_mysqldumper (kiddog_mysqldumper) extension 0.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-kiddog_mysqldumpertypo3n/a
CVE-2009-4704
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.23% / 45.75%
||
7 Day CHG~0.00%
Published-15 Mar, 2010 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Webesse E-Card (ws_ecard) extension 1.0.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-ws_ecardtypo3n/a
CVE-2009-4160
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.31% / 53.32%
||
7 Day CHG~0.00%
Published-02 Dec, 2009 | 17:00
Updated-16 Sep, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Simple download-system with counter and categories (kk_downloader) extension 1.2.1 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors.

Action-Not Available
Vendor-kurt_kunign/aTYPO3 Association
Product-kk_downloadertypo3n/a
CVE-2009-4389
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.24% / 46.44%
||
7 Day CHG~0.00%
Published-22 Dec, 2009 | 23:00
Updated-16 Sep, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the Watchdog (aba_watchdog) extension 2.0.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors.

Action-Not Available
Vendor-robert_puntigamn/aTYPO3 Association
Product-aba_watchdogtypo3n/a
CVE-2021-21339
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.13% / 33.50%
||
7 Day CHG~0.00%
Published-23 Mar, 2021 | 01:50
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cleartext storage of session identifier

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.

Action-Not Available
Vendor-TYPO3 Association
Product-typo3TYPO3.CMS
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2009-0815
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-49.80% / 97.73%
||
7 Day CHG~0.00%
Published-05 Mar, 2009 | 02:00
Updated-07 Aug, 2024 | 04:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2009-0255
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.11% / 89.44%
||
7 Day CHG~0.00%
Published-22 Jan, 2009 | 23:00
Updated-07 Aug, 2024 | 04:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key.

Action-Not Available
Vendor-n/aDebian GNU/LinuxTYPO3 Association
Product-typo3debian_linuxn/a
CWE ID-CWE-330
Use of Insufficiently Random Values
CVE-2020-26228
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.18% / 39.57%
||
7 Day CHG~0.00%
Published-23 Nov, 2020 | 21:10
Updated-04 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cleartext storage of session identifier

TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.

Action-Not Available
Vendor-TYPO3 Association
Product-typo3TYPO3.CMS
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2008-6342
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.28% / 51.18%
||
7 Day CHG~0.00%
Published-27 Feb, 2009 | 17:00
Updated-17 Sep, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the TYPO3 Simple File Browser (simplefilebrowser) extension 1.0.2 and earlier allows remote attackers to obtain sensitive information via unknown attack vectors.

Action-Not Available
Vendor-lobacher_patrickn/aTYPO3 Association
Product-typo3simplefilebrowsern/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2008-5096
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.28% / 51.24%
||
7 Day CHG~0.00%
Published-14 Nov, 2008 | 19:00
Updated-07 Aug, 2024 | 10:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the TYPO3 File List (file_list) extension 0.2.1 and earlier allows remote attackers to obtain sensitive information via unknown attack vectors.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-file_list_extensiontypo3n/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2008-3049
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.29% / 52.04%
||
7 Day CHG~0.00%
Published-07 Jul, 2008 | 18:20
Updated-07 Aug, 2024 | 09:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The PDF Generator 2 (pdf_generator2) extension 0.5.0 and earlier for TYPO3 allows attackers to obtain sensitive information via unspecified vectors.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-pdf_generator_2_extensionn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2008-3040
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.28% / 51.24%
||
7 Day CHG~0.00%
Published-07 Jul, 2008 | 18:20
Updated-07 Aug, 2024 | 09:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the DAM Frontend (dam_frontend) extension 0.1.0 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-dam_frontend_extensionn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2012-1085
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.32% / 54.33%
||
7 Day CHG~0.00%
Published-14 Feb, 2012 | 17:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

Action-Not Available
Vendor-n/aTYPO3 Association
Product-typo3beuserswitchn/a
CVE-2010-0325
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.25% / 48.19%
||
7 Day CHG~0.00%
Published-15 Jan, 2010 | 19:00
Updated-17 Sep, 2024 | 03:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in the SB Folderdownload (sb_folderdownload) extension 0.2.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors.

Action-Not Available
Vendor-sebastian_baumannn/aTYPO3 Association
Product-sb_folderdownloadtypo3n/a
CVE-2022-31046
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 35.96%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 20:40
Updated-23 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure via Export Module in TYPO3 CMS

TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export internal details of database tables they already have access to. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users.

Action-Not Available
Vendor-TYPO3 Association
Product-typo3typo3
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-5494
Matching Score-4
Assigner-NetApp, Inc.
ShareView Details
Matching Score-4
Assigner-NetApp, Inc.
CVSS Score-7.5||HIGH
EPSS-0.21% / 42.75%
||
7 Day CHG~0.00%
Published-10 May, 2019 | 18:55
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OnCommand Unified Manager 7-Mode prior to version 5.2.4 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

Action-Not Available
Vendor-NetApp, Inc.
Product-oncommand_unified_managerOnCommand Unified Manager 7-Mode
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-5635
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 10.99%
||
7 Day CHG~0.00%
Published-22 Aug, 2019 | 13:51
Updated-16 Sep, 2024 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hickory Smart Lock Cleartext Password

A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.

Action-Not Available
Vendor-belwith-keelerBelwith Products, LLC
Product-hickory_smart_ethernet_bridgehickory_smart_ethernet_bridge_firmwareHickory Smart Ethernet Bridge
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-45100
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.12% / 32.10%
||
7 Day CHG~0.00%
Published-16 Dec, 2021 | 04:37
Updated-04 Aug, 2024 | 04:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption.

Action-Not Available
Vendor-ksmbd_projectn/aNetApp, Inc.Linux Kernel Organization, Inc
Product-h300eh500sh410c_firmwareh300s_firmwareh410sksmbdh300sh300e_firmwarelinux_kernelh500eh410s_firmwareh700s_firmwareh500s_firmwareh500e_firmwareh700eh410ch700e_firmwareh700sn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2017-7133
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-7.5||HIGH
EPSS-0.34% / 56.16%
||
7 Day CHG~0.00%
Published-23 Oct, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "MobileBackup" component. It allows remote attackers to obtain sensitive cleartext information in opportunistic circumstances by leveraging read access to a backup archive that was supposed to have been encrypted.

Action-Not Available
Vendor-n/aApple Inc.
Product-iphone_osn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2017-7078
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 43.24%
||
7 Day CHG~0.00%
Published-23 Oct, 2017 | 01:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. The issue involves the "Mail Drafts" component. It allows remote attackers to obtain sensitive information by reading unintended cleartext transmissions.

Action-Not Available
Vendor-n/aApple Inc.
Product-iphone_osmac_os_xn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2017-5652
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.33% / 55.50%
||
7 Day CHG~0.00%
Published-10 Jul, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

During a routine security analysis, it was found that one of the ports in Apache Impala (incubating) 2.7.0 to 2.8.0 sent data in plaintext even when the cluster was configured to use TLS. The port in question was used by the StatestoreSubscriber class which did not use the appropriate secure Thrift transport when TLS was turned on. It was therefore possible for an adversary, with access to the network, to eavesdrop on the packets going to and coming from that port and view the data in plaintext.

Action-Not Available
Vendor-The Apache Software Foundation
Product-impalaApache Impala
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2020-2151
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 14.39%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 15:01
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Quality Gates Plugin 2.5 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Action-Not Available
Vendor-Jenkins
Product-quality_gatesJenkins Quality Gates Plugin
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2017-3815
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 33.25%
||
7 Day CHG~0.00%
Published-17 Mar, 2017 | 22:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An API Privilege vulnerability in Cisco TelePresence Server Software could allow an unauthenticated, remote attacker to emulate Cisco TelePresence Server endpoints. Affected Products: This vulnerability affects Cisco TelePresence Server MSE 8710 Processors that are running a software release prior to Cisco TelePresence Software Release 4.3 and are running in locally managed mode. The vulnerable API was deprecated in Cisco TelePresence Software Release 4.3. More Information: CSCvc37616.

Action-Not Available
Vendor-n/aCisco Systems, Inc.
Product-telepresence_server_softwareCisco TelePresence Server
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-43270
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.08% / 24.18%
||
7 Day CHG~0.00%
Published-02 Nov, 2021 | 22:40
Updated-04 Aug, 2024 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.

Action-Not Available
Vendor-datalustn/a
Product-seq.app.emailplusn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-5503
Matching Score-4
Assigner-NetApp, Inc.
ShareView Details
Matching Score-4
Assigner-NetApp, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.50% / 65.01%
||
7 Day CHG~0.00%
Published-10 Sep, 2019 | 15:50
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OnCommand Workflow Automation versions prior to 5.0 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

Action-Not Available
Vendor-NetApp, Inc.
Product-oncommand_workflow_automationOnCommand Workflow Automation
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-41835
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.3||HIGH
EPSS-0.05% / 14.69%
||
7 Day CHG~0.00%
Published-21 Jan, 2022 | 18:17
Updated-16 Apr, 2025 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fresenius Kabi Agilia Connect Infusion System use of a broken or risky cryptographic algorithm

Fresenius Kabi Agilia Link + version 3.0 does not enforce transport layer encryption. Therefore, transmitted data may be sent in cleartext. Transport layer encryption is offered on Port TCP/443, but the affected service does not perform an automated redirect from the unencrypted service on Port TCP/80 to the encrypted service.

Action-Not Available
Vendor-fresenius-kabiFresenius Kabi
Product-link\+_agilia_firmwarevigilant_insightagilia_connectvigilant_mastermedlink\+_agiliavigilant_centeriumagilia_partner_maintenance_softwareAgilia Link+
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-5505
Matching Score-4
Assigner-NetApp, Inc.
ShareView Details
Matching Score-4
Assigner-NetApp, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 36.84%
||
7 Day CHG~0.00%
Published-24 Sep, 2019 | 19:56
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ONTAP Select Deploy administration utility versions 2.2 through 2.12.1 transmit credentials in plaintext.

Action-Not Available
Vendor-n/aNetApp, Inc.
Product-ontap_select_deploy_administration_utilityONTAP Select Deploy administration utility
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-5107
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-7.5||HIGH
EPSS-0.18% / 40.24%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 23:41
Updated-04 Aug, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes passwords, configurations, and binaries being transferred to endpoints.

Action-Not Available
Vendor-wagoWago
Product-e\!cockpitWAGO e!Cockpit
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-5496
Matching Score-4
Assigner-NetApp, Inc.
ShareView Details
Matching Score-4
Assigner-NetApp, Inc.
CVSS Score-7.5||HIGH
EPSS-0.21% / 42.75%
||
7 Day CHG~0.00%
Published-10 May, 2019 | 19:24
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Oncommand Insight versions prior to 7.3.5 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.

Action-Not Available
Vendor-NetApp, Inc.
Product-oncommand_insightOnCommand Insight
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-4161
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.13% / 32.73%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 18:48
Updated-16 Sep, 2024 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ICSA-21-357-01 Moxa MGate Protocol Gateways

The affected products contain vulnerable firmware, which could allow an attacker to sniff the traffic and decrypt login credential details. This could give an attacker admin rights through the HTTP web server.

Action-Not Available
Vendor-Moxa Inc.
Product-mgate_mb3280_firmwaremgate_mb3280mgate_mb3180_firmwaremgate_mb3180mgate_mb3480_firmwaremgate_mb3480MGate MB3280 SeriesMGate MB3180 SeriesMGate MB3480 Series
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-39882
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.10% / 28.61%
||
7 Day CHG~0.00%
Published-05 Oct, 2021 | 12:22
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-40392
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 34.69%
||
7 Day CHG~0.00%
Published-14 Apr, 2022 | 19:56
Updated-15 Apr, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information disclosure vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. Network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to exploit this vulnerability.

Action-Not Available
Vendor-Moxa Inc.
Product-mxviewMXView Series
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-39342
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 33.47%
||
7 Day CHG~0.00%
Published-29 Sep, 2021 | 19:39
Updated-31 Mar, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Credova_Financial <= 1.4.8 Sensitive Information Disclosure

The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.

Action-Not Available
Vendor-credovaCredova Financial
Product-financialCredova_Financial
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-11557
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.17% / 38.40%
||
7 Day CHG~0.00%
Published-09 Apr, 2020 | 12:29
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It includes the username and password values in cleartext within each request's cookie value.

Action-Not Available
Vendor-castlerockn/a
Product-snmpc_onlinen/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2017-15290
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.14% / 34.70%
||
7 Day CHG~0.00%
Published-12 Oct, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mirasys Video Management System (VMS) 6.x before 6.4.6, 7.x before 7.5.15, and 8.x before 8.1.1 has a login process in which cleartext data is sent from a server to a client, and not all of this data is required for the client functionality.

Action-Not Available
Vendor-mirasysn/a
Product-video_management_systemn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-4689
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 17.74%
||
7 Day CHG~0.00%
Published-26 Aug, 2020 | 19:00
Updated-16 Sep, 2024 | 23:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 171826.

Action-Not Available
Vendor-IBM Corporation
Product-guardium_data_encryptionguardium_for_cloud_key_managementSecurity Guardium Data Encryption
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-4382
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.34% / 55.90%
||
7 Day CHG~0.00%
Published-25 Jun, 2019 | 15:45
Updated-17 Sep, 2024 | 01:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM API Connect 5.0.0.0 through 5.0.8.6 could allow an unauthorized user to obtain sensitive information about the system users using specially crafted HTTP requests. IBM X-Force ID: 162162.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-3793
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.1||HIGH
EPSS-0.30% / 52.44%
||
7 Day CHG~0.00%
Published-24 Apr, 2019 | 15:21
Updated-17 Sep, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Invitations Service supports HTTP connections

Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-application_serviceApps Manager
CWE ID-CWE-300
Channel Accessible by Non-Endpoint
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-45735
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.25% / 47.87%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 01:33
Updated-04 Aug, 2024 | 04:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing attackers to intercept user credentials via packet capture software.

Action-Not Available
Vendor-n/aTOTOLINK
Product-x5000r_firmwarex5000rn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2017-14486
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.15% / 35.79%
||
7 Day CHG~0.00%
Published-01 Dec, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Vibease Wireless Remote Vibrator app for Android and the Vibease Chat app for iOS use cleartext to exchange messages with other apps and the PLAIN SASL mechanism to send auth tokens to Vibease servers, which allows remote attackers to obtain user credentials, messages, and other sensitive information by sniffing the network for XMPP traffic.

Action-Not Available
Vendor-vibeasen/a
Product-wireless_remote_vibratorchatn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2019-4162
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 18.91%
||
7 Day CHG~0.00%
Published-06 Jun, 2019 | 20:45
Updated-17 Sep, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire. IBM X-Force ID: 158661.

Action-Not Available
Vendor-IBM Corporation
Product-security_information_queueSecurity Information Queue
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2005-2069
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-2.84% / 85.67%
||
7 Day CHG~0.00%
Published-29 Jun, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.

Action-Not Available
Vendor-padlopenldapn/a
Product-openldapnss_ldappam_ldapn/a
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found