Total
536 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-30354 | 1 Tenda | 2 Cp3, Cp3 Firmware | 2023-12-10 | N/A | 9.8 CRITICAL |
Shenzen Tenda Technology IP Camera CP3 V11.10.00.2211041355 does not defend against physical access to U-Boot via the UART: the Wi-Fi password is shown, and the hardcoded boot password can be inserted for console access. | |||||
CVE-2023-31193 | 1 Snapone | 1 Orvc | 2023-12-10 | N/A | 7.5 HIGH |
Snap One OvrC Pro versions prior to 7.3 use HTTP connections when downloading a program from their servers. Because they do not use HTTPS, OvrC Pro devices are susceptible to exploitation. | |||||
CVE-2023-0922 | 1 Samba | 1 Samba | 2023-12-10 | N/A | 5.9 MEDIUM |
The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. | |||||
CVE-2023-31410 | 1 Sick | 1 Sick Eventcam App | 2023-12-10 | N/A | 7.4 HIGH |
A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK EventCam App. This lack of encryption in the communication channel can lead to the unauthorized disclosure of sensitive information. The attacker can exploit this weakness to eavesdrop on the communication between the EventCam App and the Client, and potentially manipulate the data being transmitted. | |||||
CVE-2023-1831 | 1 Mattermost | 1 Mattermost Server | 2023-12-10 | N/A | 7.5 HIGH |
Mattermost fails to redact from audit logsĀ the user password during user creation and the user password hash in other operations if the experimental audit logging configuration was enabled (ExperimentalAuditSettings section in config). | |||||
CVE-2022-46680 | 1 Schneider-electric | 10 Powerlogic Ion7400, Powerlogic Ion7400 Firmware, Powerlogic Ion8650 and 7 more | 2023-12-10 | N/A | 9.8 CRITICAL |
A CWE-319: Cleartext transmission of sensitive information vulnerability exists that could cause disclosure of sensitive information, denial of service, or modification of data if an attacker is able to intercept network traffic. | |||||
CVE-2023-33960 | 1 Openproject | 1 Openproject | 2023-12-10 | N/A | 7.5 HIGH |
OpenProject is web-based project management software. For any OpenProject installation, a `robots.txt` file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Prior to version 12.5.6, even if the entire instance is marked as `Login required` and prevents all truly anonymous access, the `/robots.txt` route remains publicly available. Version 12.5.6 has a fix for this issue. Alternatively, users can download a patchfile to apply the patch to any OpenProject version greater than 10.0 As a workaround, one may mark any public project as non-public and give anyone in need of access to the project a membership. | |||||
CVE-2023-30514 | 1 Jenkins | 1 Azure Key Vault | 2023-12-10 | N/A | 7.5 HIGH |
Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. | |||||
CVE-2022-45478 | 1 Telepad-app | 1 Telepad | 2023-12-10 | N/A | 5.9 MEDIUM |
Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | |||||
CVE-2022-44411 | 1 Web Based Quiz System Project | 1 Web Based Quiz System | 2023-12-10 | N/A | 7.5 HIGH |
Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack. | |||||
CVE-2023-22597 | 1 Inhandnetworks | 4 Inrouter302, Inrouter302 Firmware, Inrouter615-s and 1 more | 2023-12-10 | N/A | 5.9 MEDIUM |
InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-319: Cleartext Transmission of Sensitive Information. They use an unsecured channel to communicate with the cloud platform by default. An unauthorized user could intercept this communication and steal sensitive information such as configuration information and MQTT credentials; this could allow MQTT command injection. | |||||
CVE-2023-22863 | 3 Ibm, Microsoft, Redhat | 5 Robotic Process Automation, Robotic Process Automation As A Service, Robotic Process Automation For Cloud Pak and 2 more | 2023-12-10 | N/A | 5.9 MEDIUM |
IBM Robotic Process Automation 20.12.0 through 21.0.2 defaults to HTTP in some RPA commands when the prefix is not explicitly specified in the URL. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 244109. | |||||
CVE-2022-23509 | 1 Weave | 1 Weave Gitops | 2023-12-10 | N/A | 6.0 MEDIUM |
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources. There are no known workaround(s) for this vulnerability. This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. | |||||
CVE-2020-4497 | 1 Ibm | 1 Spectrum Protect Plus | 2023-12-10 | N/A | 5.9 MEDIUM |
IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques. IBM X-Force ID: 182106. | |||||
CVE-2023-25016 | 1 Couchbase | 1 Couchbase Server | 2023-12-10 | N/A | 7.5 HIGH |
Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor. | |||||
CVE-2022-45483 | 1 Lazy Mouse Project | 1 Lazy Mouse | 2023-12-10 | N/A | 5.9 MEDIUM |
Lazy Mouse allows an attacker (in a man in the middle position between the server and a connected device) to see all data (including keypresses) in cleartext. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | |||||
CVE-2023-24440 | 1 Jenkins | 1 Jira Pipeline Steps | 2023-12-10 | N/A | 5.5 MEDIUM |
Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
CVE-2022-45546 | 1 Screencheck | 1 Badgemaker | 2023-12-10 | N/A | 7.5 HIGH |
Information Disclosure in Authentication Component of ScreenCheck BadgeMaker 2.6.2.0 application allows internal attacker to obtain credentials for authentication via network sniffing. | |||||
CVE-2021-35246 | 1 Solarwinds | 1 Engineer\'s Toolset | 2023-12-10 | N/A | 5.3 MEDIUM |
The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users. | |||||
CVE-2022-40693 | 1 Moxa | 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more | 2023-12-10 | N/A | 7.5 HIGH |
A cleartext transmission vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. |