Total
615 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-27656 | 1 Synology | 1 Diskstation Manager | 2020-11-03 | 4.3 MEDIUM | 3.7 LOW |
| Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||||
| CVE-2020-27657 | 1 Synology | 1 Router Manager | 2020-11-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||||
| CVE-2020-7744 | 2 Google, Mintegral | 2 Android, Mintegraladsdk | 2020-10-29 | 4.3 MEDIUM | 4.7 MEDIUM |
| This affects all versions of package com.mintegral.msdk:alphab. The Android SDK distributed by the company contains malicious functionality in this module that tracks: 1. Downloads from Google urls either within Google apps or via browser including file downloads, e-mail attachments and Google Docs links. 2. All apk downloads, either organic or not. Mintegral listens to download events in Android's download manager and detects if the downloaded file's url contains: a. google.com or comes from a Google app (the com.android.vending package) b. Ends with .apk for apk downloads In both cases, the module sends the captured data back to Mintegral's servers. Note that the malicious functionality keeps running even if the app is currently not in focus (running in the background). | |||||
| CVE-2019-3793 | 1 Pivotal Software | 1 Application Service | 2020-10-16 | 5.0 MEDIUM | 9.8 CRITICAL |
| Pivotal Apps Manager Release, versions 665.0.x prior to 665.0.28, versions 666.0.x prior to 666.0.21, versions 667.0.x prior to 667.0.7, contain an invitation service that accepts HTTP. A remote unauthenticated user could listen to network traffic and gain access to the authorization credentials used to make the invitation requests. | |||||
| CVE-2019-5635 | 1 Belwith-keeler | 2 Hickory Smart Ethernet Bridge, Hickory Smart Ethernet Bridge Firmware | 2020-10-16 | 5.0 MEDIUM | 7.5 HIGH |
| A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information. | |||||
| CVE-2019-11276 | 1 Pivotal Software | 1 Application Service | 2020-10-16 | 4.8 MEDIUM | 5.4 MEDIUM |
| Pivotal Apps Manager, included in Pivotal Application Service versions 2.3.x prior to 2.3.16, 2.4.x prior to 2.4.12, 2.5.x prior to 2.5.8, and 2.6.x prior to 2.6.3, makes a request to the /cloudapplication endpoint via Spring actuator, and subsequent requests via unsecured http. An adjacent unauthenticated user could eavesdrop on the network traffic and gain access to the unencrypted token allowing the attacker to read the type of access a user has over an app. They may also modify the logging level, potentially leading to lost information that would otherwise have been logged. | |||||
| CVE-2020-25748 | 1 Rubetek | 6 Rv-3406, Rv-3406 Firmware, Rv-3409 and 3 more | 2020-10-08 | 6.8 MEDIUM | 8.1 HIGH |
| A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP servers and force the camera to use the changed values. | |||||
| CVE-2019-12506 | 1 Logitech | 2 R700 Laser Presentation Remote, R700 Laser Presentation Remote Firmware | 2020-08-24 | 8.3 HIGH | 8.8 HIGH |
| Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-14319 | 3 Apple, Google, Tiktok | 3 Iphone Os, Android, Tiktok | 2020-08-24 | 3.3 LOW | 6.5 MEDIUM |
| The TikTok (formerly Musical.ly) application 12.2.0 for Android and iOS performs unencrypted transmission of images, videos, and likes. This allows an attacker to extract private sensitive information by sniffing network traffic. | |||||
| CVE-2019-0346 | 1 Sap | 1 Businessobjects Business Intelligence | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Unencrypted communication error in SAP Business Objects Business Intelligence Platform (Central Management Console), version 4.2, leads to disclosure of list of user names and roles imported from SAP NetWeaver BI systems, resulting in Information Disclosure. | |||||
| CVE-2018-11422 | 1 Moxa | 4 Oncell G3150-hspa, Oncell G3150-hspa-t, Oncell G3150-hspa-t Firmware and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercepted and modified. Any commands (including device reboot, configuration download or upload, or firmware upgrade) are accepted and executed by the device without authentication. | |||||
| CVE-2019-5494 | 1 Netapp | 1 Oncommand Unified Manager | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| OnCommand Unified Manager 7-Mode prior to version 5.2.4 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors. | |||||
| CVE-2019-5503 | 1 Netapp | 1 Oncommand Workflow Automation | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| OnCommand Workflow Automation versions prior to 5.0 shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors. | |||||
| CVE-2019-12503 | 1 Inateck | 2 Bcst-60, Bcst-60 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| Due to unencrypted and unauthenticated data communication, the wireless barcode scanner Inateck BCST-60 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-11220 | 1 Ilnkp2p Project | 1 Ilnkp2p | 2020-08-24 | 4.3 MEDIUM | 8.1 HIGH |
| An authentication flaw in Shenzhen Yunni Technology iLnkP2P allows remote attackers to actively intercept user-to-device traffic in cleartext, including video streams and device credentials. | |||||
| CVE-2019-19127 | 1 Tribalgroup | 1 Sits\ | 2020-08-24 | 6.8 MEDIUM | 8.1 HIGH |
| An authentication bypass vulnerability is present in the standalone SITS:Vision 9.7.0 component of Tribal SITS in its default configuration, related to unencrypted communications sent by the client each time it is launched. This occurs because the Uniface TLS Driver is not enabled by default. This vulnerability allows attackers to gain access to credentials or execute arbitrary SQL queries on the SITS backend as long as they have access to the client executable or can intercept traffic from a user who does. | |||||
| CVE-2019-7675 | 1 Mobotix | 2 S14, S14 Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. The default management application is delivered over cleartext HTTP with Basic Authentication, as demonstrated by the /admin/index.html URI. | |||||
| CVE-2019-12505 | 1 Inateck | 2 Wp1001, Wp1001 Firmware | 2020-08-24 | 8.3 HIGH | 8.8 HIGH |
| Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP1001 v1.3C is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-1010260 | 1 Ktlint Project | 1 Ktlint | 2020-08-24 | 9.3 HIGH | 8.1 HIGH |
| Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261. | |||||
| CVE-2019-15626 | 1 Trendmicro | 1 Deep Security | 2020-08-24 | 4.3 MEDIUM | 7.5 HIGH |
| The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability. | |||||