Total
674 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-41627 | 1 Alivecor | 6 Kardiamobile, Kardiamobile 6l, Kardiamobile 6l Firmware and 3 more | 2024-08-03 | 4.8 Medium |
| The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves. | ||||
| CVE-2022-40939 | 1 Secu | 2 Secustation, Secustation Firmware | 2024-08-03 | 4.9 Medium |
| In certain Secustation products the administrator account password can be read. This affects V2.5.5.3116-S50-SMA-B20171107A, V2.3.4.1301-M20-TSA-B20150617A, V2.5.5.3116-S50-RXA-B20180502A, V2.5.5.3116-S50-SMA-B20190723A, V2.5.5.3116-S50-SMB-B20161012A, V2.3.4.2103-S50-NTD-B20170508B, V2.5.5.3116-S50-SMB-B20160601A, V2.5.5.2601-S50-TSA-B20151229A, and V2.5.5.3116-S50-SMA-B20170217. | ||||
| CVE-2022-40693 | 1 Moxa | 4 Sds-3008, Sds-3008-t, Sds-3008-t Firmware and 1 more | 2024-08-03 | 7.5 High |
| A cleartext transmission vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | ||||
| CVE-2022-39339 | 1 Nextcloud | 1 Openid Connect User Backend | 2024-08-03 | 4.3 Medium |
| user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings). | ||||
| CVE-2022-39287 | 1 Tiny-csrf Project | 1 Tiny-csrf | 2024-08-03 | 8.1 High |
| tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2022-39269 | 1 Pjsip | 1 Pjsip | 2024-08-03 | 9.1 Critical |
| PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2022-38846 | 1 Espocrm | 1 Espocrm | 2024-08-03 | 5.9 Medium |
| EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack. | ||||
| CVE-2022-38458 | 1 Netgear | 2 Rbs750, Rbs750 Firmware | 2024-08-03 | 6.5 Medium |
| A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. | ||||
| CVE-2022-36200 | 1 Fiberhome | 2 Hg150-ub, Hg150-ub Firmware | 2024-08-03 | 7.5 High |
| In FiberHome VDSL2 Modem HG150-Ub_V3.0, Credentials of Admin are submitted in URL, which can be logged/sniffed. | ||||
| CVE-2022-34801 | 1 Jenkins | 1 Build Notifications | 2024-08-03 | 4.3 Medium |
| Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | ||||
| CVE-2022-34804 | 1 Jenkins | 1 Opsgenie | 2024-08-03 | 4.3 Medium |
| Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure. | ||||
| CVE-2022-33724 | 1 Google | 1 Android | 2024-08-03 | 3.3 Low |
| Exposure of Sensitive Information in Samsung Dialer application?prior to SMR Aug-2022 Release 1 allows local attackers to access ICCID via log. | ||||
| CVE-2022-33321 | 1 Mitsubishielectric | 356 Ma-ew85s-e, Ma-ew85s-e Firmware, Ma-ew85s-uk and 353 more | 2024-08-03 | 9.8 Critical |
| Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer electronics products (PHOTOVOLTAIC COLOR MONITOR ECO-GUIDE, HEMS adapter, Wi-Fi Interface, Air Conditioning, Induction hob, Mitsubishi Electric HEMS Energy Measurement Unit, Refrigerator, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch, Ventilating Fan, Range hood fan, Energy Measurement Unit and Air Purifier) allows a remote unauthenticated attacker to disclose information in the products or cause a denial of service (DoS) condition as a result by sniffing credential information (username and password). The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section. | ||||
| CVE-2022-32245 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-08-03 | 8.2 High |
| SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the application by an automated attack. Thus, completely compromising confidentiality but causing a limited impact on the availability of the application. | ||||
| CVE-2022-32227 | 1 Rocket.chat | 1 Rocket.chat | 2024-08-03 | 6.5 Medium |
| A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product. | ||||
| CVE-2022-31204 | 1 Omron | 15 Cp1w-cif41, Cp1w-cif41 Firmware, Cx-programmer and 12 more | 2024-08-03 | 7.5 High |
| Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext. | ||||
| CVE-2022-31046 | 1 Typo3 | 1 Typo3 | 2024-08-03 | 4.3 Medium |
| TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export internal details of database tables they already have access to. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. | ||||
| CVE-2022-30312 | 1 Honeywell | 10 Trend Iq411, Trend Iq411 Firmware, Trend Iq412 and 7 more | 2024-08-03 | 6.5 Medium |
| The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement. | ||||
| CVE-2022-30115 | 3 Haxx, Netapp, Splunk | 15 Curl, Clustered Data Ontap, H300s and 12 more | 2024-08-03 | 4.3 Medium |
| Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL. | ||||
| CVE-2022-29945 | 1 Dji | 22 Air 2, Air 2 Firmware, Air 2s and 19 more | 2024-08-03 | 4 Medium |
| DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol. | ||||