Total
718 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-45361 | 2025-03-27 | 6.5 Medium | ||
| A protocol flaw vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to leak sensitive user information. | ||||
| CVE-2023-25016 | 1 Couchbase | 1 Couchbase Server | 2025-03-25 | 7.5 High |
| Couchbase Server before 6.6.6, 7.x before 7.0.5, and 7.1.x before 7.1.2 exposes Sensitive Information to an Unauthorized Actor. | ||||
| CVE-2024-44276 | 2025-03-21 | 7.3 High | ||
| This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in iOS 18.2 and iPadOS 18.2. A user in a privileged network position may be able to leak sensitive information. | ||||
| CVE-2025-2311 | 2025-03-21 | 9 Critical | ||
| Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.This issue affects SecHard: before 3.3.0.20220411. | ||||
| CVE-2022-41545 | 2025-03-20 | 6.4 Medium | ||
| The administrative web interface of a Netgear C7800 Router running firmware version 6.01.07 (and possibly others) authenticates users via basic authentication, with an HTTP header containing a base64 value of the plaintext username and password. Because the web server also does not utilize transport security by default, this renders the administrative credentials vulnerable to eavesdropping by an adversary during every authenticated request made by a client to the router over a WLAN, or a LAN, should the adversary be able to perform a man-in-the-middle attack. | ||||
| CVE-2025-25728 | 2025-03-19 | 6.5 Medium | ||
| Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API in plaintext, allowing attackers to access sensitive information via a man-in-the-middle attack. | ||||
| CVE-2022-45546 | 1 Screencheck | 1 Badgemaker | 2025-03-19 | 7.5 High |
| Information Disclosure in Authentication Component of ScreenCheck BadgeMaker 2.6.2.0 application allows internal attacker to obtain credentials for authentication via network sniffing. | ||||
| CVE-2024-7531 | 2 Mozilla, Redhat | 3 Firefox, Firefox Esr, Rhel Aus | 2025-03-19 | 6.3 Medium |
| Calling `PK11_Encrypt()` in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1. | ||||
| CVE-2024-36558 | 2025-03-19 | 7.5 High | ||
| Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication. | ||||
| CVE-2024-7713 | 1 Ays-pro | 2 Ai Chatbot With Chatgpt, Chatgpt Assistant | 2025-03-18 | 7.5 High |
| The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it | ||||
| CVE-2024-36426 | 1 Targit | 1 Decision Suite 23.2.15007.0 | 2025-03-18 | 7.5 High |
| In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session. | ||||
| CVE-2024-31840 | 1 Italtel | 1 Embrace | 2025-03-14 | 6.5 Medium |
| An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password. | ||||
| CVE-2025-27594 | 2025-03-14 | 7.5 High | ||
| The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash attack. | ||||
| CVE-2024-41927 | 1 Idec | 182 Ft1a-b12ra, Ft1a-b12ra Firmware, Ft1a-b24ra and 179 more | 2025-03-13 | 4.6 Medium |
| Cleartext transmission of sensitive information vulnerability exists in multiple IDEC PLCs. If an attacker sends a specific command to PLC's serial communication port, user credentials may be obtained. As a result, the program of the PLC may be obtained, and the PLC may be manipulated. | ||||
| CVE-2025-23060 | 2025-03-13 | 6.6 Medium | ||
| A vulnerability in HPE Aruba Networking ClearPass Policy Manager may, under certain circumstances, expose sensitive unencrypted information. Exploiting this vulnerability could allow an attacker to perform a man-in-the-middle attack, potentially granting unauthorized access to network resources as well as enabling data tampering. | ||||
| CVE-2023-23914 | 4 Haxx, Netapp, Redhat and 1 more | 13 Curl, Active Iq Unified Manager, Clustered Data Ontap and 10 more | 2025-03-12 | 9.1 Critical |
| A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. | ||||
| CVE-2024-13872 | 2025-03-12 | N/A | ||
| Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device. | ||||
| CVE-2022-32906 | 1 Apple | 1 Music | 2025-03-11 | 5.3 Medium |
| This issue was addressed with using HTTPS when sending information over the network. This issue is fixed in Apple Music 3.9.10 for Android. A user in a privileged network position may intercept SSL/TLS connections. | ||||
| CVE-2022-23509 | 1 Weave | 1 Weave Gitops | 2025-03-10 | 7.4 High |
| Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources. There are no known workaround(s) for this vulnerability. This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. | ||||
| CVE-2025-27622 | 2025-03-06 | 4.3 Medium | ||
| Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets. | ||||