Total
639 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3494 | 1 Theforeman | 1 Foreman | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| A smart proxy that provides a restful API to various sub-systems of the Foreman is affected by the flaw which can cause a Man-in-the-Middle attack. The FreeIPA module of Foreman smart proxy does not check the SSL certificate, thus, an unauthenticated attacker can perform actions in FreeIPA if certain conditions are met. The highest threat from this flaw is to system confidentiality. This flaw affects Foreman versions before 2.5.0. | |||||
| CVE-2021-3417 | 1 Lenovo | 1 Xclarity Orchestrator | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| An internal product security audit of LXCO, prior to version 1.2.2, discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file. | |||||
| CVE-2021-3003 | 1 Agenziaentrate | 1 Desktop Telematico | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the jws.agenziaentrate.it server over cleartext HTTP, which allows man-in-the-middle attackers to spoof product updates. | |||||
| CVE-2021-39882 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. | |||||
| CVE-2021-39272 | 2 Fedoraproject, Fetchmail | 2 Fedora, Fetchmail | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. | |||||
| CVE-2021-39026 | 1 Ibm | 1 Guardium Data Encryption | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 213964. | |||||
| CVE-2021-38978 | 3 Ibm, Linux, Microsoft | 5 Aix, Security Guardium Key Lifecycle Manager, Security Key Lifecycle Manager and 2 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 212783. | |||||
| CVE-2021-38828 | 1 Xiongmaitech | 2 Xm-jpr2-lx, Xm-jpr2-lx Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000 is vulnerable to plain-text traffic sniffing. | |||||
| CVE-2021-38418 | 1 Deltaww | 1 Dialink | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
| Delta Electronics DIALink versions 1.2.4.0 and prior runs by default on HTTP, which may allow an attacker to be positioned between the traffic and perform a machine-in-the-middle attack to access information without authorization. | |||||
| CVE-2021-38373 | 1 Kde | 1 Kmail | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
| In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. | |||||
| CVE-2021-38142 | 1 Barco | 1 Mirrorop Windows Sender | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
| Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS). | |||||
| CVE-2021-37939 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
| It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster. | |||||
| CVE-2021-36382 | 1 Devolutions | 1 Devolutions Server | 2024-11-21 | 4.3 MEDIUM | 2.6 LOW |
| Devolutions Server before 2021.1.18, and LTS before 2020.3.20, allows attackers to intercept private keys via a man-in-the-middle attack against the connections/partial endpoint (which accepts cleartext). | |||||
| CVE-2021-36165 | 1 Riconmobile | 2 S9922l, S9922l Firmware | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64. | |||||
| CVE-2021-35246 | 1 Solarwinds | 1 Engineer\'s Toolset | 2024-11-21 | N/A | 5.3 MEDIUM |
| The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users. | |||||
| CVE-2021-34825 | 2 Fedoraproject, Quassel-irc | 2 Fedora, Quassel | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system. | |||||
| CVE-2021-33900 | 1 Apache | 1 Directory Studio | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not applied. This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 and prior versions. | |||||
| CVE-2021-33883 | 1 Bbraun | 3 Infusomat Large Volume Pump 871305u, Spacecom2, Spacestation 8713142u | 2024-11-21 | 5.0 MEDIUM | 5.9 MEDIUM |
| A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration. | |||||
| CVE-2021-33408 | 1 Abinitio | 1 Control\>center | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Local File Inclusion vulnerability in Ab Initio Control>Center before 4.0.2.6 allows remote attackers to retrieve arbitrary files. Fixed in v4.0.2.6 and v4.0.3.1. | |||||
| CVE-2021-33022 | 1 Philips | 4 Myvue, Speech, Vue Motion and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Philips Vue PACS versions 12.2.x.x and prior transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. | |||||