Total
536 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-29681 | 1 Tenda | 2 N301, N301 Firmware | 2023-12-10 | N/A | 5.7 MEDIUM |
| Cleartext Transmission in cookie:ecos_pw: in Tenda N301 v6.0, firmware v12.03.01.06_pt allows an authenticated attacker on the LAN or WLAN to intercept communications with the router and obtain the password. | |||||
| CVE-2023-1656 | 1 Forgerock | 1 Ldap Connector | 2023-12-10 | N/A | 7.5 HIGH |
| Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13. | |||||
| CVE-2023-29680 | 1 Tenda | 2 N301, N301 Firmware | 2023-12-10 | N/A | 5.7 MEDIUM |
| Cleartext Transmission in set-cookie:ecos_pw: Tenda N301 v6.0, Firmware v12.02.01.61_multi allows an authenticated attacker on the LAN or WLAN to intercept communications with the router and obtain the password. | |||||
| CVE-2023-27861 | 1 Ibm | 1 Maximo Application Suite | 2023-12-10 | N/A | 5.9 MEDIUM |
| IBM Maximo Application Suite - Manage Component 8.8.0 and 8.9.0 transmits sensitive information in cleartext that could be intercepted by an attacker using man in the middle techniques. IBM X-Force ID: 249208. | |||||
| CVE-2023-30841 | 1 Linuxfoundation | 1 Baremetal Operator | 2023-12-10 | N/A | 5.5 MEDIUM |
| Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241. | |||||
| CVE-2023-30515 | 1 Jenkins | 1 Thycotic Devops Secrets Vault | 2023-12-10 | N/A | 7.5 HIGH |
| Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. | |||||
| CVE-2023-23841 | 1 Solarwinds | 1 Serv-u | 2023-12-10 | N/A | 7.5 HIGH |
| SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.? Part of the URL of the request discloses sensitive data. | |||||
| CVE-2023-27927 | 1 Sauter-controls | 2 Ey-as525f001, Ey-as525f001 Firmware | 2023-12-10 | N/A | 6.5 MEDIUM |
| An authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks. The attacker could then perform further attacks using the SMTP credentials. | |||||
| CVE-2023-21220 | 1 Google | 1 Android | 2023-12-10 | N/A | 7.5 HIGH |
| there is a possible use of unencrypted transport over cellular networks due to an insecure default value. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-264590585References: N/A | |||||
| CVE-2023-33187 | 1 Highlight | 1 Highlight | 2023-12-10 | N/A | 6.5 MEDIUM |
| Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `type="password"` inputs. A customer may assume that switching to `type="text"` would also not record this input; hence, they would not add additional `highlight-mask` css-class obfuscation to this part of the DOM, resulting in unintentional recording of a password value when a `Show Password` button is used. This issue was patched in version 6.0.0. This patch tracks changes to the `type` attribute of an input to ensure an input that used to be a `type="password"` continues to be obfuscated. | |||||
| CVE-2023-25070 | 1 Seiko-sol | 4 Skybridge Mb-a100, Skybridge Mb-a100 Firmware, Skybridge Mb-a110 and 1 more | 2023-12-10 | N/A | 6.5 MEDIUM |
| Cleartext transmission of sensitive information exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier. If the telnet connection is enabled, a remote unauthenticated attacker may eavesdrop on or alter the administrator's communication to the product. | |||||
| CVE-2023-1802 | 1 Docker | 1 Desktop | 2023-12-10 | N/A | 7.5 HIGH |
| In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected. | |||||
| CVE-2023-28348 | 2 Faronics, Microsoft | 2 Insight, Windows | 2023-12-10 | N/A | 7.4 HIGH |
| An issue was discovered in Faronics Insight 10.0.19045 on Windows. A suitably positioned attacker could perform a man-in-the-middle attack on either a connected student or teacher, enabling them to intercept student keystrokes or modify executable files being sent from teachers to students. | |||||
| CVE-2023-33730 | 1 Escanav | 1 Escan Management Console | 2023-12-10 | N/A | 9.8 CRITICAL |
| Privilege Escalation in the "GetUserCurrentPwd" function in Microworld Technologies eScan Management Console 14.0.1400.2281 allows any remote attacker to retrieve password of any admin or normal user in plain text format. | |||||
| CVE-2023-32784 | 1 Keepass | 1 Keepass | 2023-12-10 | N/A | 7.5 HIGH |
| In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation. | |||||
| CVE-2019-14942 | 1 Gitlab | 1 Gitlab | 2023-12-10 | N/A | 5.9 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Cookies for GitLab Pages (which have access control) could be sent over cleartext HTTP. | |||||
| CVE-2023-31195 | 1 Asus | 2 Rt-ax3000, Rt-ax3000 Firmware | 2023-12-10 | N/A | 5.3 MEDIUM |
| ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked. | |||||
| CVE-2023-25437 | 1 Vtech | 2 Vcs754a, Vcs754a Firmware | 2023-12-10 | N/A | 8.8 HIGH |
| An issue was discovered in vTech VCS754 version 1.1.1.A before 1.1.1.H, allows attackers to gain escalated privileges and gain sensitive information due to cleartext passwords passed in the raw HTML. | |||||
| CVE-2022-41327 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-12-10 | N/A | 4.4 MEDIUM |
| A cleartext transmission of sensitive information vulnerability [CWE-319] in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.8, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.8 allows an authenticated attacker with readonly superadmin privileges to intercept traffic in order to obtain other adminstrators cookies via diagnose CLI commands. | |||||
| CVE-2023-30513 | 1 Jenkins | 1 Kubernetes | 2023-12-10 | N/A | 7.5 HIGH |
| Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. | |||||