Total
713 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-30841 | 1 Linuxfoundation | 1 Baremetal Operator | 2024-11-21 | N/A | 6.0 MEDIUM |
| Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241. | |||||
| CVE-2023-30602 | 1 Hitrontech | 2 Coda-5310, Coda-5310 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| Hitron Technologies CODA-5310’s Telnet function transfers sensitive data in plaintext. An unauthenticated remote attacker can exploit this vulnerability to access credentials of normal users and administrator. | |||||
| CVE-2023-30565 | 1 Bd | 1 Guardrails Cqi Reporter | 2024-11-21 | N/A | 3.5 LOW |
| An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker. | |||||
| CVE-2023-2754 | 1 Cloudflare | 1 Warp | 2024-11-21 | N/A | 7.4 HIGH |
| The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device. | |||||
| CVE-2023-28616 | 1 Stormshield | 1 Stormshield Network Security | 2024-11-21 | N/A | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1. It affects user accounts for which the password has an equals sign or space character. The serverd process logs such passwords in cleartext, and potentially sends these logs to the Syslog component. | |||||
| CVE-2023-27861 | 1 Ibm | 1 Maximo Application Suite | 2024-11-21 | N/A | 5.9 MEDIUM |
| IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force ID: 249208. | |||||
| CVE-2023-25848 | 1 Esri | 1 Arcgis Server | 2024-11-21 | N/A | 5.3 MEDIUM |
| ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed. | |||||
| CVE-2023-24547 | 1 Arista | 5 7130, 7130-16g3s, 7130-48g3s and 2 more | 2024-11-21 | N/A | 5.9 MEDIUM |
| On affected platforms running Arista MOS, the configuration of a BGP password will cause the password to be logged in clear text that can be revealed in local logs or remote logging servers by authenticated users, as well as appear in clear text in the device’s running config. | |||||
| CVE-2023-23915 | 3 Haxx, Netapp, Splunk | 12 Curl, Active Iq Unified Manager, Clustered Data Ontap and 9 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS. | |||||
| CVE-2023-23841 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | N/A | 7.5 HIGH |
| SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request. Part of the URL of the request discloses sensitive data. | |||||
| CVE-2023-23371 | 1 Qnap | 1 Qvpn | 2024-11-21 | N/A | 5.2 MEDIUM |
| A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.2.0.0823 and later | |||||
| CVE-2023-23130 | 1 Connectwise | 1 Automate | 2024-11-21 | N/A | 5.9 MEDIUM |
| Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting. | |||||
| CVE-2023-22870 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-11-21 | N/A | 5.9 MEDIUM |
| IBM Aspera Faspex 5.0.5 transmits sensitive information in cleartext which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 244121. | |||||
| CVE-2023-22863 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2024-11-21 | N/A | 5.9 MEDIUM |
| IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 244109. | |||||
| CVE-2023-22806 | 1 Ls-electric | 2 Xbc-dn32u, Xbc-dn32u Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| LS ELECTRIC XBC-DN32U with operating system version 01.80 transmits sensitive information in cleartext when communicating over its XGT protocol. This could allow an attacker to gain sensitive information such as user credentials. | |||||
| CVE-2023-22597 | 1 Inhandnetworks | 4 Inrouter302, Inrouter302 Firmware, Inrouter615-s and 1 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-319: Cleartext Transmission of Sensitive Information. They use an unsecured channel to communicate with the cloud platform by default. An unauthorized user could intercept this communication and steal sensitive information such as configuration information and MQTT credentials; this could allow MQTT command injection. | |||||
| CVE-2023-21220 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.5 HIGH |
| there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264590585References: N/A | |||||
| CVE-2023-21219 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.5 HIGH |
| there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264698379References: N/A | |||||
| CVE-2023-1831 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 7.2 HIGH |
| Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). | |||||
| CVE-2023-1802 | 1 Docker | 1 Desktop | 2024-11-21 | N/A | 5.9 MEDIUM |
| In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected. | |||||