Total
743 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-33837 | 1 Ibm | 1 Security Verify Governance | 2024-11-21 | N/A | 4.1 MEDIUM |
IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020. | |||||
CVE-2023-33187 | 1 Highlight | 1 Highlight | 2024-11-21 | N/A | 5.4 MEDIUM |
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0. This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated. | |||||
CVE-2023-32328 | 1 Ibm | 1 Security Verify Access | 2024-11-21 | N/A | 7.5 HIGH |
IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957. | |||||
CVE-2023-31823 | 1 Marui | 1 Marui | 2024-11-21 | N/A | 7.5 HIGH |
An issue found in Marui Co Marui Official app v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Marui Official Store function. | |||||
CVE-2023-31410 | 1 Sick | 1 Sick Eventcam App | 2024-11-21 | N/A | 9.8 CRITICAL |
A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK EventCam App. This lack of encryption in the communication channel can lead to the unauthorized disclosure of sensitive information. The attacker can exploit this weakness to eavesdrop on the communication between the EventCam App and the Client, and potentially manipulate the data being transmitted. | |||||
CVE-2023-31193 | 1 Snapone | 1 Orvc | 2024-11-21 | N/A | 7.5 HIGH |
Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. Because they do not use HTTPS, OvrC Pro devices are susceptible to exploitation. | |||||
CVE-2023-30841 | 1 Linuxfoundation | 1 Baremetal Operator | 2024-11-21 | N/A | 6.0 MEDIUM |
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241. | |||||
CVE-2023-30602 | 1 Hitrontech | 2 Coda-5310, Coda-5310 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
Hitron Technologies CODA-5310’s Telnet function transfers sensitive data in plaintext. An unauthenticated remote attacker can exploit this vulnerability to access credentials of normal users and administrator. | |||||
CVE-2023-30565 | 1 Bd | 1 Guardrails Cqi Reporter | 2024-11-21 | N/A | 3.5 LOW |
An insecure connection between Systems Manager and CQI Reporter application could expose infusion data to an attacker. | |||||
CVE-2023-2754 | 1 Cloudflare | 1 Warp | 2024-11-21 | N/A | 7.4 HIGH |
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device. | |||||
CVE-2023-28616 | 1 Stormshield | 1 Stormshield Network Security | 2024-11-21 | N/A | 7.5 HIGH |
An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1. It affects user accounts for which the password has an equals sign or space character. The serverd process logs such passwords in cleartext, and potentially sends these logs to the Syslog component. | |||||
CVE-2023-27861 | 1 Ibm | 1 Maximo Application Suite | 2024-11-21 | N/A | 5.9 MEDIUM |
IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force ID: 249208. | |||||
CVE-2023-25848 | 1 Esri | 1 Arcgis Server | 2024-11-21 | N/A | 5.3 MEDIUM |
ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed. | |||||
CVE-2023-24547 | 1 Arista | 5 7130, 7130-16g3s, 7130-48g3s and 2 more | 2024-11-21 | N/A | 5.9 MEDIUM |
On affected platforms running Arista MOS, the configuration of a BGP password will cause the password to be logged in clear text that can be revealed in local logs or remote logging servers by authenticated users, as well as appear in clear text in the device’s running config. | |||||
CVE-2023-23915 | 3 Haxx, Netapp, Splunk | 12 Curl, Active Iq Unified Manager, Clustered Data Ontap and 9 more | 2024-11-21 | N/A | 6.5 MEDIUM |
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS. | |||||
CVE-2023-23841 | 1 Solarwinds | 1 Serv-u | 2024-11-21 | N/A | 7.5 HIGH |
SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request. Part of the URL of the request discloses sensitive data. | |||||
CVE-2023-23371 | 1 Qnap | 1 Qvpn | 2024-11-21 | N/A | 5.2 MEDIUM |
A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.2.0.0823 and later | |||||
CVE-2023-23130 | 1 Connectwise | 1 Automate | 2024-11-21 | N/A | 5.9 MEDIUM |
Connectwise Automate 2022.11 is vulnerable to Cleartext authentication. Authentication is being done via HTTP (cleartext) with SSL disabled. OTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting. | |||||
CVE-2023-22870 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-11-21 | N/A | 5.9 MEDIUM |
IBM Aspera Faspex 5.0.5 transmits sensitive information in cleartext which could be obtained by an attacker using man in the middle techniques. IBM X-Force ID: 244121. | |||||
CVE-2023-22863 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2024-11-21 | N/A | 5.9 MEDIUM |
IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 244109. |