Total
695 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3261 | 1 Redhat | 1 Openstack Platform | 2024-11-21 | N/A | 4.4 MEDIUM |
| A flaw was found in OpenStack. Multiple components show plain-text passwords in /var/log/messages during the OpenStack overcloud update run, leading to a disclosure of sensitive information problem. | |||||
| CVE-2022-39339 | 1 Nextcloud | 1 Openid Connect User Backend | 2024-11-21 | N/A | 4.3 MEDIUM |
| user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings). | |||||
| CVE-2022-39287 | 1 Tiny-csrf Project | 1 Tiny-csrf | 2024-11-21 | N/A | 8.1 HIGH |
| tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-38846 | 1 Espocrm | 1 Espocrm | 2024-11-21 | N/A | 5.9 MEDIUM |
| EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack. | |||||
| CVE-2022-38122 | 1 Upspowercom | 1 Upsmon Pro | 2024-11-21 | N/A | 7.5 HIGH |
| UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. An unauthenticated remote attacker can exploit this vulnerability to access sensitive data. | |||||
| CVE-2022-36200 | 1 Fiberhome | 2 Hg150-ub, Hg150-ub Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| In FiberHome VDSL2 Modem HG150-Ub_V3.0, Credentials of Admin are submitted in URL, which can be logged/sniffed. | |||||
| CVE-2022-34804 | 1 Jenkins | 1 Opsgenie | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure. | |||||
| CVE-2022-34801 | 1 Jenkins | 1 Build Notifications | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||||
| CVE-2022-33724 | 1 Google | 1 Android | 2024-11-21 | N/A | 3.3 LOW |
| Exposure of Sensitive Information in Samsung Dialer application?prior to SMR Aug-2022 Release 1 allows local attackers to access ICCID via log. | |||||
| CVE-2022-32510 | 2024-11-21 | N/A | 7.1 HIGH | ||
| An issue was discovered on certain Nuki Home Solutions devices. The HTTP API exposed by a Bridge used an unencrypted channel to provide an administrative interface. A token can be easily eavesdropped by a malicious actor to impersonate a legitimate user and gain access to the full set of API endpoints. This affects Nuki Bridge v1 before 1.22.0 and v2 before 2.13.2. | |||||
| CVE-2022-32245 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | N/A | 8.2 HIGH |
| SAP BusinessObjects Business Intelligence Platform (Open Document) - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the application by an automated attack. Thus, completely compromising confidentiality but causing a limited impact on the availability of the application. | |||||
| CVE-2022-32227 | 1 Rocket.chat | 1 Rocket.chat | 2024-11-21 | N/A | 6.5 MEDIUM |
| A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product. | |||||
| CVE-2022-31204 | 1 Omron | 15 Cp1w-cif41, Cp1w-cif41 Firmware, Cx-programmer and 12 more | 2024-11-21 | N/A | 7.5 HIGH |
| Omron CS series, CJ series, and CP series PLCs through 2022-05-18 use cleartext passwords. They feature a UM Protection setting that allows users or system integrators to configure a password in order to restrict sensitive engineering operations (such as project/logic uploads and downloads). This password is set using the OMRON FINS command Program Area Protect and unset using the command Program Area Protect Clear, both of which are transmitted in cleartext. | |||||
| CVE-2022-31046 | 1 Typo3 | 1 Typo3 | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can export internal details of database tables they already have access to. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 fix the problem described above. In order to address this issue, access to mentioned export functionality is completely denied for regular backend users. | |||||
| CVE-2022-30994 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cleartext transmission of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 29240 | |||||
| CVE-2022-30993 | 3 Acronis, Linux, Microsoft | 3 Cyber Protect, Linux Kernel, Windows | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cleartext transmission of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240 | |||||
| CVE-2022-30312 | 1 Honeywell | 10 Trend Iq411, Trend Iq411 Firmware, Trend Iq412 and 7 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement. | |||||
| CVE-2022-30115 | 3 Haxx, Netapp, Splunk | 15 Curl, Clustered Data Ontap, H300s and 12 more | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL. | |||||
| CVE-2022-2485 | 1 Automationdirect | 20 Sio-mb04ads, Sio-mb04ads Firmware, Sio-mb04das and 17 more | 2024-11-21 | N/A | 9.6 CRITICAL |
| Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its password in the communication packets. | |||||
| CVE-2022-2338 | 1 Softing | 6 Edgeaggregator, Edgeconnector, Opc and 3 more | 2024-11-21 | N/A | 5.7 MEDIUM |
| Softing Secure Integration Server V1.22 is vulnerable to authentication bypass via a machine-in-the-middle attack. The default the administration interface is accessible via plaintext HTTP protocol, facilitating the attack. The HTTP request may contain the session cookie in the request, which may be captured for use in authenticating to the server. | |||||