Total
704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15635 | 1 Grafana | 1 Grafana | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Grafana 5.4.0. Passwords for data sources used by Grafana (e.g., MySQL) are not encrypted. An admin user can reveal passwords for any data source by pressing the "Save and test" button within a data source's settings menu. When watching the transaction with Burp Proxy, the password for the data source is revealed and sent to the server. From a browser, a prompt to save the credentials is generated, and the password can be revealed by simply checking the "Show password" box. | |||||
| CVE-2019-15626 | 1 Trendmicro | 1 Deep Security | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability. | |||||
| CVE-2019-15135 | 1 Omg | 1 Dds Security | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability information on a Data Distribution Service (DDS) network. | |||||
| CVE-2019-14959 | 1 Jetbrains | 1 Toolbox | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| JetBrains Toolbox before 1.15.5605 was resolving an internal URL via a cleartext http connection. | |||||
| CVE-2019-14954 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection. | |||||
| CVE-2019-14808 | 1 Renpho | 1 Renpho | 2024-11-21 | 4.0 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials). | |||||
| CVE-2019-14664 | 2 Enigmail, Fedoraproject | 2 Enigmail, Fedora | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks. | |||||
| CVE-2019-14319 | 3 Apple, Google, Tiktok | 3 Iphone Os, Android, Tiktok | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| The TikTok (formerly Musical.ly) application 12.2.0 for Android and iOS performs unencrypted transmission of images, videos, and likes. This allows an attacker to extract private sensitive information by sniffing network traffic. | |||||
| CVE-2019-13498 | 1 Oneidentity | 1 Cloud Access Manager | 2024-11-21 | 5.8 MEDIUM | 7.4 HIGH |
| One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4. | |||||
| CVE-2019-13394 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP. | |||||
| CVE-2019-12967 | 1 Themooltipass | 1 Moolticute | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control. | |||||
| CVE-2019-12820 | 1 Jisiwei | 2 I3, I3 Firmware | 2024-11-21 | 4.3 MEDIUM | 5.6 MEDIUM |
| A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner. Actions performed on the app such as changing a password, and personal information it communicates with the server, use unencrypted HTTP. As an example, while logging in through the app to a Jisiwei account, the login request is being sent in cleartext. The vulnerability exists in both the Android and iOS version of the app. An attacker could exploit this by using an MiTM attack on the local network to obtain someone's login credentials, which gives them full access to the robot vacuum cleaner. | |||||
| CVE-2019-12813 | 1 Crossmatch | 2 Digital Persona U.are.u 4500, Digital Persona U.are.u 4500 Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Digital Persona U.are.U 4500 Fingerprint Reader v24. The key and salt used for obfuscating the fingerprint image exhibit cleartext when the fingerprint scanner device transfers a fingerprint image to the driver. An attacker who sniffs an encrypted fingerprint image can easily decrypt that image using the key and salt. | |||||
| CVE-2019-12781 | 3 Canonical, Debian, Djangoproject | 3 Ubuntu Linux, Debian Linux, Django | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. | |||||
| CVE-2019-12506 | 1 Logitech | 2 R700 Laser Presentation Remote, R700 Laser Presentation Remote Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| Due to unencrypted and unauthenticated data communication, the wireless presenter Logitech R700 Laser Presentation Remote R-R0010 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-12505 | 1 Inateck | 2 Wp1001, Wp1001 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP1001 v1.3C is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-12504 | 1 Inateck | 2 Wp2002, Wp2002 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP2002 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-12503 | 1 Inateck | 2 Bcst-60, Bcst-60 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Due to unencrypted and unauthenticated data communication, the wireless barcode scanner Inateck BCST-60 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device. | |||||
| CVE-2019-12399 | 2 Apache, Oracle | 13 Kafka, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 10 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value, then any client can issue a request to the same Connect cluster to obtain the connector's task configuration and the response will contain the plaintext secret rather than the externalized secrets variables. | |||||
| CVE-2019-12388 | 1 Anviz | 1 Anviz Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Anviz access control devices perform cleartext transmission of sensitive information (passwords/pins and names) when replying to query on port tcp/5010. | |||||