Total
302 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-23127 | 1 Connectwise | 1 Connectwise | 2024-11-21 | N/A | 5.3 MEDIUM |
In Connectwise Control 22.8.10013.8329, the login page does not implement HSTS headers therefore not enforcing HTTPS. NOTE: the vendor's position is that, by design, this is controlled by a configuration option in which a customer can choose to use HTTP (rather than HTTPS) during troubleshooting. | |||||
CVE-2023-0750 | 1 Lynx-technik | 2 Yellobrik Pec 1864, Yellobrik Pec 1864 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
Yellobrik PEC-1864 implements authentication checks via javascript in the frontend interface. When the device can be accessed over the network an attacker could bypass authentication. This would allow an attacker to : - Change the password, resulting in a DOS of the users - Change the streaming source, compromising the integrity of the stream - Change the streaming destination, compromising the confidentiality of the stream This issue affects Yellowbrik: PEC 1864. No patch has been issued by the manufacturer as this model was discontinued. | |||||
CVE-2023-0690 | 1 Hashicorp | 1 Boundary | 2024-11-21 | N/A | 5.0 MEDIUM |
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This would result in the credentials being stored in plaintext on the Boundary PKI worker’s disk. This issue is fixed in version 0.12.0. | |||||
CVE-2022-4683 | 1 Usememos | 1 Memos | 2024-11-21 | N/A | 6.5 MEDIUM |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. | |||||
CVE-2022-4409 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 7.5 HIGH |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | |||||
CVE-2022-40295 | 1 Phppointofsale | 1 Php Point Of Sale | 2024-11-21 | N/A | 4.9 MEDIUM |
The application was vulnerable to an authenticated information disclosure, allowing administrators to view unsalted user passwords, which could lead to the compromise of plaintext passwords via offline attacks. | |||||
CVE-2022-3251 | 1 Ikus-soft | 1 Minarca | 2024-11-21 | N/A | 5.3 MEDIUM |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2. | |||||
CVE-2022-3250 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 5.3 MEDIUM |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6. | |||||
CVE-2022-3174 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 7.5 HIGH |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2. | |||||
CVE-2022-39014 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-11-21 | N/A | 5.3 MEDIUM |
Under certain conditions SAP BusinessObjects Business Intelligence Platform Central Management Console (CMC) - version 430, allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted. | |||||
CVE-2022-38458 | 1 Netgear | 2 Rbs750, Rbs750 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information. | |||||
CVE-2022-38194 | 1 Esri | 1 Portal For Arcgis | 2024-11-21 | N/A | 6.7 MEDIUM |
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file. | |||||
CVE-2022-34307 | 1 Ibm | 1 Cics Tx | 2024-11-21 | N/A | 4.3 MEDIUM |
IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 229436. | |||||
CVE-2022-33161 | 1 Ibm | 4 Security Directory Integrator, Security Directory Server, Security Directory Suite and 1 more | 2024-11-21 | N/A | 5.3 MEDIUM |
IBM Security Directory Server 6.4.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 228569. | |||||
CVE-2022-30237 | 1 Schneider-electric | 4 Wiser Smart Eer21000, Wiser Smart Eer21000 Firmware, Wiser Smart Eer21001 and 1 more | 2024-11-21 | 5.0 MEDIUM | 8.2 HIGH |
A CWE-311: Missing Encryption of Sensitive Data vulnerability exists that could allow authentication credentials to be recovered when an attacker breaks the encoding. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) | |||||
CVE-2022-27225 | 1 Gradle | 1 Enterprise | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS. | |||||
CVE-2022-26281 | 1 Bigantsoft | 1 Bigant Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
BigAnt Server v5.6.06 was discovered to contain an incorrect access control issue. | |||||
CVE-2022-26157 | 1 Cherwell | 1 Cherwell Service Management | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. The ASP.NET_Sessionid cookie is not protected by the Secure flag. This makes it prone to interception by an attacker if traffic is sent over unencrypted channels. | |||||
CVE-2022-24045 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information. | |||||
CVE-2022-23116 | 1 Jenkins | 1 Conjur Secrets | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. |