Total
493 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9854 | 1 Sma | 78 Sunny Boy 1.5, Sunny Boy 1.5 Firmware, Sunny Boy 2.5 and 75 more | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in SMA Solar Technology products. By sniffing for specific packets on the localhost, plaintext passwords can be obtained as they are typed into Sunny Explorer by the user. These passwords can then be used to compromise the overall device. NOTE: the vendor reports that exploitation likelihood is low because these packets are usually sent only once during installation. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected | |||||
| CVE-2017-17763 | 1 Liveqos | 1 Superbeam | 2025-04-20 | 7.6 HIGH | 7.5 HIGH |
| SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share feature, does not use HTTPS or any integrity-protection mechanism for file transfer, which makes it easier for remote attackers to send crafted files, as demonstrated by APK injection. | |||||
| CVE-2017-3218 | 1 Samsung | 1 Magician | 2025-04-20 | 8.3 HIGH | 8.8 HIGH |
| Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates. | |||||
| CVE-2017-6297 | 1 Mikrotik | 1 Routeros | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not enable IPsec encryption after a reboot, which allows man-in-the-middle attackers to view transmitted data unencrypted and gain access to networks on the L2TP server by monitoring the packets for the transmitted data and obtaining the L2TP secret. | |||||
| CVE-2017-8769 | 1 Whatsapp | 1 Whatsapp | 2025-04-20 | 2.1 LOW | 4.6 MEDIUM |
| Facebook WhatsApp Messenger before 2.16.323 for Android uses the SD card for cleartext storage of files (Audio, Documents, Images, Video, and Voice Notes) associated with a chat, even after that chat is deleted. There may be users who expect file deletion to occur upon chat deletion, or who expect encryption (consistent with the application's use of an encrypted database to store chat text). NOTE: the vendor reportedly indicates that they do not "consider these to be security issues" because a user may legitimately want to preserve any file for use "in other apps like the Google Photos gallery" regardless of whether its associated chat is deleted | |||||
| CVE-2017-8168 | 1 Huawei | 1 Fusionsphere Openstack | 2025-04-20 | 3.3 LOW | 4.3 MEDIUM |
| FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R006C10 have an information leak vulnerability. Due to an incorrect configuration item, the information transmitted by a transmission channel is not encrypted. An attacker accessing the internal network may obtain sensitive information transmitted. | |||||
| CVE-2017-5042 | 6 Apple, Debian, Google and 3 more | 9 Macos, Debian Linux, Android and 6 more | 2025-04-20 | 3.3 LOW | 5.7 MEDIUM |
| Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies sent. | |||||
| CVE-2017-9045 | 1 Google | 1 Google I\/o 2017 | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Google I/O 2017 application before 5.1.4 for Android downloads multiple .json files from http://storage.googleapis.com without SSL, which makes it easier for man-in-the-middle attackers to spoof Feed and Schedule data by creating a modified blocks_v4.json file. | |||||
| CVE-2017-7729 | 1 Ismartalarm | 2 Cubeone, Cubeone Firmware | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| On iSmartAlarm cube devices, there is Incorrect Access Control because a "new key" is transmitted in cleartext. | |||||
| CVE-2017-12817 | 1 Kaspersky | 1 Internet Security | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In Kaspersky Internet Security for Android 11.12.4.1622, some of the application trace files were not encrypted. | |||||
| CVE-2017-6445 | 1 Openelec | 1 Openelec | 2025-04-20 | 7.6 HIGH | 8.1 HIGH |
| The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely. | |||||
| CVE-2017-15609 | 1 Octopus | 1 Octopus Deploy | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets. | |||||
| CVE-2022-38658 | 2 Hcltech, Microsoft | 2 Bigfix Server Automation, Windows | 2025-04-15 | N/A | 7.7 HIGH |
| BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed. | |||||
| CVE-2021-4239 | 1 Noiseprotocol | 1 Noise | 2025-04-14 | N/A | 7.5 HIGH |
| The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages. | |||||
| CVE-2007-4961 | 1 Lindenlab | 1 Second Life | 2025-04-09 | 4.3 MEDIUM | 7.5 HIGH |
| The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd field, which allows remote attackers to login to an account by sniffing the network and then sending this hash to a Second Life authentication server. | |||||
| CVE-2025-29314 | 2025-03-27 | N/A | 8.1 HIGH | ||
| Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack. | |||||
| CVE-2022-47715 | 1 Lastyard | 1 Last Yard | 2025-03-27 | N/A | 5.3 MEDIUM |
| In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic. | |||||
| CVE-2025-1243 | 2025-02-12 | N/A | N/A | ||
| The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted inĀ information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1. Other data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted. | |||||
| CVE-2023-30523 | 1 Jenkins | 1 Report Portal | 2025-02-07 | N/A | 4.3 MEDIUM |
| Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-22948 | 1 Tigergraph | 1 Tigergraph | 2025-02-07 | N/A | 4.9 MEDIUM |
| An issue was discovered in TigerGraph Enterprise Free Edition 3.x. There is unsecured read access to an SSH private key. Any code that runs as the tigergraph user is able to read the SSH private key. With this, an attacker is granted password-less SSH access to all machines in the TigerGraph cluster. | |||||