Total
615 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8356 | 1 Lenovo | 1 Xclarity Orchestrator | 2021-03-15 | 4.0 MEDIUM | 4.9 MEDIUM |
| An internal product security audit of LXCO, prior to version 1.2.2, discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file. | |||||
| CVE-2020-29055 | 1 Cdatatec | 56 72408a, 72408a Firmware, 9008a and 53 more | 2021-03-11 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. By default, the appliance can be managed remotely only with HTTP, telnet, and SNMP. It doesn't support SSL/TLS for HTTP or SSH. An attacker can intercept passwords sent in cleartext and conduct man-in-the-middle attacks on the management of the appliance. | |||||
| CVE-2020-25605 | 1 Agora | 1 Video Software Development Kit | 2021-02-23 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic. | |||||
| CVE-2021-27209 | 1 Tp-link | 2 Archer C5v, Archer C5v Firmware | 2021-02-19 | 3.6 LOW | 7.1 HIGH |
| In the management interface on TP-Link Archer C5v 1.7_181221 devices, credentials are sent in a base64 format over cleartext HTTP. | |||||
| CVE-2020-8355 | 1 Lenovo | 1 Xclarity Administrator | 2021-02-17 | 4.0 MEDIUM | 4.9 MEDIUM |
| An internal product security audit of Lenovo XClarity Administrator (LXCA) prior to version 3.1.0 discovered the Windows OS credentials provided by the LXCA user to perform driver updates of managed systems may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated while managed endpoints are updating. The service log is only generated when requested by a privileged LXCA user and it is only accessible to the privileged LXCA user that requested the file and is then deleted. | |||||
| CVE-2020-29662 | 1 Linuxfoundation | 1 Harbor | 2021-02-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Harbor 2.0 before 2.0.5 and 2.1.x before 2.1.2 the catalog’s registry API is exposed on an unauthenticated path. | |||||
| CVE-2019-0069 | 1 Juniper | 12 Acx5000, Ex4600, Junos and 9 more | 2021-02-05 | 2.1 LOW | 5.5 MEDIUM |
| On EX4600, QFX5100 Series, NFX Series, QFX10K Series, QFX5110, QFX5200 Series, QFX5110, QFX5200, QFX10K Series, vSRX, SRX1500, SRX4000 Series, vSRX, SRX1500, SRX4000, QFX5110, QFX5200, QFX10K Series, when the user uses console management port to authenticate, the credentials used during device authentication are written to a log file in clear text. This issue does not affect users that are logging-in using telnet, SSH or J-web to the management IP. This issue affects ACX, NFX, SRX, EX and QFX platforms with the Linux Host OS architecture, it does not affect other SRX and EX platforms that do not use the Linux Host OS architecture. This issue affects Juniper Networks Junos OS: 15.1X49 versions prior to 15.1X49-D110 on vSRX, SRX1500, SRX4000 Series; 15.1X53 versions prior to 15.1X53-D234 on QFX5110, QFX5200 Series; 15.1X53 versions prior to 15.1X53-D68 on QFX10K Series; 17.1 versions prior to 17.1R2-S8, 17.1R3, on QFX5110, QFX5200, QFX10K Series; 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3 on QFX5110, QFX5200, QFX10K Series; 17.3 versions prior to 17.3R2 on vSRX, SRX1500, SRX4000, QFX5110, QFX5200, QFX10K Series; 14.1X53 versions prior to 14.1X53-D47 on ACX5000, EX4600, QFX5100 Series; 15.1 versions prior to 15.1R7 on ACX5000, EX4600, QFX5100 Series; 16.1R7 versions prior to 16.1R7 on ACX5000, EX4600, QFX5100 Series; 17.1 versions prior to 17.1R2-S10, 17.1R3 on ACX5000, EX4600, QFX5100 Series; 17.2 versions prior to 17.2R3 on ACX5000, EX4600, QFX5100 Series; 17.3 versions prior to 17.3R3 on ACX5000, EX4600, QFX5100 Series; 17.4 versions prior to 17.4R2 on ACX5000, EX4600, QFX5100 Series; 18.1 versions prior to 18.1R2 on ACX5000, EX4600, QFX5100 Series; 15.1X53 versions prior to 15.1X53-D496 on NFX Series, 17.2 versions prior to 17.2R3-S1 on NFX Series; 17.3 versions prior to 17.3R3-S4 on NFX Series; 17.4 versions prior to 17.4R2-S4, 17.4R3 on NFX Series, 18.1 versions prior to 18.1R3-S4 on NFX Series; 18.2 versions prior to 18.2R2-S3, 18.2R3 on NFX Series; 18.3 versions prior to 18.3R1-S3, 18.3R2 on NFX Series; 18.4 versions prior to 18.4R1-S1, 18.4R2 on NFX Series. | |||||
| CVE-2020-25169 | 1 Reolink | 14 Rlc-410, Rlc-410 Firmware, Rlc-422 and 11 more | 2021-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds. | |||||
| CVE-2021-21270 | 1 Octopus | 1 Octopusdsc | 2021-02-01 | 2.1 LOW | 5.5 MEDIUM |
| OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002. | |||||
| CVE-2020-4969 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2021-01-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | |||||
| CVE-2020-4893 | 1 Ibm | 1 Emptoris Strategic Supply Management | 2021-01-08 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Emptoris Strategic Supply Management 10.1.0, 10.1.1, and 10.1.3 transmits sensitive information in HTTP GET request parameters. This may lead to information disclosure via man in the middle methods. IBM X-Force ID: 190984. | |||||
| CVE-2020-4899 | 1 Ibm | 1 Api Connect | 2021-01-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| IBM API Connect 5.0.0.0 through 5.0.8.10 could potentially leak sensitive information or allow for data corruption due to plain text transmission of sensitive information across the network. IBM X-Force ID: 190990. | |||||
| CVE-2018-19944 | 1 Qnap | 1 Qts | 2021-01-07 | 5.0 MEDIUM | 7.5 HIGH |
| A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later) | |||||
| CVE-2020-11718 | 1 Bilanc | 1 Bilanc | 2020-12-23 | 5.8 MEDIUM | 7.4 HIGH |
| An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and below. Its software-update packages are downloaded via cleartext HTTP. | |||||
| CVE-2020-25190 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2020-12-23 | 5.0 MEDIUM | 9.8 CRITICAL |
| The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower stores and transmits the credentials of third-party services in cleartext. | |||||
| CVE-2020-14248 | 1 Hcltech | 1 Bigfix Platform | 2020-12-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||||
| CVE-2020-5426 | 1 Vmware | 1 Pivotal Scheduler | 2020-12-01 | 4.3 MEDIUM | 9.8 CRITICAL |
| Scheduler for TAS prior to version 1.4.0 was permitting plaintext transmission of UAA client token by sending it over a non-TLS connection. This also depended on the configuration of the MySQL server which is used to cache a UAA client token used by the service. If intercepted the token can give an attacker admin level access in the cloud controller. | |||||
| CVE-2020-27586 | 1 Quickheal | 1 Total Security | 2020-12-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| Quick Heal Total Security before version 19.0 transmits quarantine and sysinfo files via clear text. | |||||
| CVE-2020-25155 | 1 Nexcom | 2 Nio 50, Nio 50 Firmware | 2020-11-30 | 5.0 MEDIUM | 7.5 HIGH |
| The affected product transmits unencrypted sensitive information, which may allow an attacker to access this information on the NIO 50 (all versions). | |||||
| CVE-2005-2069 | 2 Openldap, Padl | 3 Openldap, Nss Ldap, Pam Ldap | 2020-11-16 | 5.0 MEDIUM | N/A |
| pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. | |||||