Total
639 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-20061 | 1 Mfscripts | 1 Yetishare | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the (system-picked) password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password. | |||||
CVE-2019-19967 | 1 Upc | 2 Connect Box Eurodocsis, Connect Box Eurodocsis Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
The Administration page on Connect Box EuroDOCSIS 3.0 Voice Gateway CH7465LG-NCIP-6.12.18.25-2p6-NOSH devices accepts a cleartext password in a POST request on port 80, as demonstrated by the Password field to the xml/setter.xml URI. | |||||
CVE-2019-19898 | 1 Ixpdata | 1 Easyinstall | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
In IXP EasyInstall 6.2.13723, there are cleartext credentials in network communication on TCP port 20050 when using the Administrator console remotely. | |||||
CVE-2019-19890 | 1 Humaxdigital | 2 Hgb10r-02, Hgb10r-02 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. Admin credentials are sent over cleartext HTTP. | |||||
CVE-2019-19889 | 1 Humaxdigital | 2 Hgb10r-02, Hgb10r-02 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. The attacker can discover admin credentials in the backup file, aka backupsettings.conf. | |||||
CVE-2019-19463 | 1 Huami | 1 Mi Fit | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
The Anhui Huami Mi Fit application before 4.0.11 for Android has an Unencrypted Update Check. | |||||
CVE-2019-19316 | 1 Hashicorp | 1 Terraform | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
When using the Azure backend with a shared access signature (SAS), Terraform versions prior to 0.12.17 may transmit the token and state snapshot using cleartext HTTP. | |||||
CVE-2019-19251 | 1 Last.fm | 1 Last.fm Desktop | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts. | |||||
CVE-2019-19127 | 1 Tribalgroup | 1 Sits\ | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
An authentication bypass vulnerability is present in the standalone SITS:Vision 9.7.0 component of Tribal SITS in its default configuration, related to unencrypted communications sent by the client each time it is launched. This occurs because the Uniface TLS Driver is not enabled by default. This vulnerability allows attackers to gain access to credentials or execute arbitrary SQL queries on the SITS backend as long as they have access to the client executable or can intercept traffic from a user who does. | |||||
CVE-2019-19107 | 2 Abb, Busch-jaeger | 4 Tg\/s3.2, Tg\/s3.2 Firmware, 6186\/11 and 1 more | 2024-11-21 | 2.1 LOW | 6.2 MEDIUM |
The Configuration pages in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway for user profiles and services transfer the password in plaintext (although hidden when displayed). | |||||
CVE-2019-18852 | 1 Dlink | 14 Dir-600 B1, Dir-600 B1 Firmware, Dir-615 J1 and 11 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
Certain D-Link devices have a hardcoded Alphanetworks user account with TELNET access because of /etc/config/image_sign or /etc/alpha_config/image_sign. This affects DIR-600 B1 V2.01 for WW, DIR-890L A1 v1.03, DIR-615 J1 v100 (for DCN), DIR-645 A1 v1.03, DIR-815 A1 v1.01, DIR-823 A1 v1.01, and DIR-842 C1 v3.00. | |||||
CVE-2019-18800 | 1 Rakuten | 1 Viber | 2024-11-21 | 4.3 MEDIUM | 8.8 HIGH |
Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 20 bytes of udid in a binary format, which is located at offset 0x14 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS. | |||||
CVE-2019-18285 | 1 Siemens | 1 Sppa-t3000 Application Server | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
A vulnerability has been identified in SPPA-T3000 Application Server (All versions < Service Pack R8.2 SP2). The RMI communication between the client and the Application Server is unencrypted. An attacker with access to the communication channel can read credentials of a valid user. Please note that an attacker needs to have access to the Application Highway in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
CVE-2019-18248 | 1 Biotronik | 4 Cardiomessenger Ii-s Gsm, Cardiomessenger Ii-s Gsm Firmware, Cardiomessenger Ii-s T-line and 1 more | 2024-11-21 | 3.3 LOW | 4.3 MEDIUM |
BIOTRONIK CardioMessenger II, The affected products transmit credentials in clear-text prior to switching to an encrypted communication channel. An attacker can disclose the product’s client credentials for connecting to the BIOTRONIK Remote Communication infrastructure. | |||||
CVE-2019-18231 | 1 Advantech | 2 Spectre Rt Ert351, Spectre Rt Ert351 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwords are transmitted in clear text form, which may allow an attacker to intercept the request. | |||||
CVE-2019-18201 | 1 Fujitsu | 2 Lx390, Lx390 Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, an attacker is able to eavesdrop on sensitive data such as passwords. | |||||
CVE-2019-18199 | 1 Fujitsu | 2 Lx390, Lx390 Firmware | 2024-11-21 | 6.9 MEDIUM | 6.6 MEDIUM |
An issue was discovered on Fujitsu Wireless Keyboard Set LX390 GK381 devices. Because of the lack of proper encryption of 2.4 GHz communication, and because of password-based authentication, they are vulnerable to replay attacks. | |||||
CVE-2019-17393 | 1 Tomedo | 1 Server | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and password. | |||||
CVE-2019-17356 | 1 Infinitestudio | 1 Infinite Design | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
The Infinite Design application 3.4.12 for Android sends a username and password via TCP without any encryption during login, as demonstrated by sniffing of a public Wi-Fi network. | |||||
CVE-2019-17218 | 1 Vzug | 2 Combi-stream Mslq, Combi-stream Mslq Firmware | 2024-11-21 | 5.0 MEDIUM | 9.1 CRITICAL |
An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. By default, the communication to the web service is unencrypted via http. An attacker is able to intercept and sniff communication to the web service. |