Total
695 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2005 | 1 Automationdirect | 24 C-more Ea9-pgmsw, C-more Ea9-pgmsw Firmware, C-more Ea9-rhmi and 21 more | 2024-11-21 | N/A | 7.5 HIGH |
| AutomationDirect C-more EA9 HTTP webserver uses an insecure mechanism to transport credentials from client to web server, which may allow an attacker to obtain the login credentials and login as a valid user. This issue affects: AutomationDirect C-more EA9 EA9-T6CL versions prior to 6.73; EA9-T6CL-R versions prior to 6.73; EA9-T7CL versions prior to 6.73; EA9-T7CL-R versions prior to 6.73; EA9-T8CL versions prior to 6.73; EA9-T10CL versions prior to 6.73; EA9-T10WCL versions prior to 6.73; EA9-T12CL versions prior to 6.73; EA9-T15CL versions prior to 6.73; EA9-RHMI versions prior to 6.73; EA9-PGMSW versions prior to 6.73; | |||||
| CVE-2022-2003 | 1 Automationdirect | 18 D0-06aa, D0-06aa Firmware, D0-06ar and 15 more | 2024-11-21 | N/A | 7.7 HIGH |
| AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72; | |||||
| CVE-2022-29945 | 1 Dji | 22 Air 2, Air 2 Firmware, Air 2s and 19 more | 2024-11-21 | 5.0 MEDIUM | 4.0 MEDIUM |
| DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol. | |||||
| CVE-2022-29874 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). Affected devices do not encrypt web traffic with clients but communicate in cleartext via HTTP. This could allow an unauthenticated attacker to capture the traffic and interfere with the functionality of the device. | |||||
| CVE-2022-29733 | 1 Deltacontrols | 2 Entelitouch, Entelitouch Firmware | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to transmit and store sensitive information in cleartext. This vulnerability allows attackers to intercept HTTP Cookie authentication credentials via a man-in-the-middle attack. | |||||
| CVE-2022-29519 | 1 Yokogawa | 4 Stardom Fcj, Stardom Fcj Firmware, Stardom Fcn and 1 more | 2024-11-21 | 7.9 HIGH | 7.5 HIGH |
| Cleartext transmission of sensitive information vulnerability exists in STARDOM FCN Controller and FCJ Controller R1.01 to R4.31, which may allow an adjacent attacker to login the affected products and alter device configuration settings or tamper with device firmware. | |||||
| CVE-2022-28861 | 2 Axis, Citilog | 2 M1125, Citilog | 2024-11-21 | N/A | 5.9 MEDIUM |
| The server in Citilog 8.0 allows an attacker (in a man in the middle position between the server and its smart camera Axis M1125) to see FTP credentials in a cleartext HTTP traffic. These can be used for FTP access to the server. | |||||
| CVE-2022-27619 | 1 Synology | 1 Note Station | 2024-11-21 | N/A | 6.8 MEDIUM |
| Cleartext transmission of sensitive information vulnerability in authentication management in Synology Note Station Client before 2.2.2-609 allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2022-26077 | 1 Openautomationsoftware | 1 Oas Platform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112. A targeted network sniffing attack can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | |||||
| CVE-2022-25805 | 1 Igel | 1 Universal Management Suite | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the IGEL Universal Management Suite (UMS) 6.07.100. The transmission of cleartext LDAP bind credentials by the cmd_mgt_load_mgt_tree command allows an attacker (who can intercept or inspect traffic between an authenticated UMS client and server) to compromise those LDAP bind credentials. | |||||
| CVE-2022-25180 | 1 Jenkins | 1 Pipeline\ | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline. | |||||
| CVE-2022-24978 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response. | |||||
| CVE-2022-23509 | 1 Weave | 1 Weave Gitops | 2024-11-21 | N/A | 7.3 HIGH |
| Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The communication between GitOps Run and the local S3 bucket is not encrypted. This allows privileged users or process to tap the local traffic to gain information permitting access to the s3 bucket. From that point, it would be possible to alter the bucket content, resulting in changes in the Kubernetes cluster's resources. There are no known workaround(s) for this vulnerability. This vulnerability has been fixed by commits ce2bbff and babd915. Users should upgrade to Weave GitOps version >= v0.12.0 released on 08/12/2022. | |||||
| CVE-2022-23105 | 1 Jenkins | 1 Active Directory | 2024-11-21 | 2.9 LOW | 6.5 MEDIUM |
| Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations. | |||||
| CVE-2022-22385 | 3 Apple, Ibm, Microsoft | 3 Macos, Security Verify Privilege On-premises, Windows | 2024-11-21 | N/A | 5.9 MEDIUM |
| IBM Security Verify Privilege On-Premises 11.5 could disclose sensitive information to an attacked due to the transmission of data in clear text. IBM X-Force ID: 221962. | |||||
| CVE-2022-21951 | 1 Suse | 1 Rancher | 2024-11-21 | 3.6 LOW | 6.8 MEDIUM |
| A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects: SUSE Rancher Rancher versions prior to 2.5.14; Rancher versions prior to 2.6.5. | |||||
| CVE-2022-21829 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520. | |||||
| CVE-2022-21798 | 1 Ge | 1 Cimplicity | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system. | |||||
| CVE-2022-20243 | 1 Google | 1 Android | 2024-11-21 | N/A | 4.4 MEDIUM |
| In Core Utilities, there is a possible log information disclosure. This could lead to local information disclosure of sensitive browsing data with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-190199986 | |||||
| CVE-2022-1524 | 1 Illumina | 8 Iseq 100, Local Run Manager, Miniseq and 5 more | 2024-11-21 | 4.3 MEDIUM | 7.4 HIGH |
| LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials. | |||||