Total
750 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-47560 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2025-06-18 | 5.7 Medium |
| The lack of web request control on ekorCCP and ekorRCI devices allows a potential attacker to create custom requests to execute malicious actions when a user is logged in. | ||||
| CVE-2023-32328 | 1 Ibm | 1 Security Verify Access | 2025-06-17 | 7.5 High |
| IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957. | ||||
| CVE-2023-51741 | 1 Skyworthdigital | 2 Cm5100, Cm5100 Firmware | 2025-06-17 | 7.5 High |
| This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to transmission of authentication credentials in plaintext over the network. A remote attacker could exploit this vulnerability by eavesdropping on the victim’s network traffic to extract username and password from the web interface (Password Reset Page) of the vulnerable targeted system. | ||||
| CVE-2022-30312 | 1 Honeywell | 10 Trend Iq411, Trend Iq411 Firmware, Trend Iq412 and 7 more | 2025-06-17 | 6.5 Medium |
| The Trend Controls IC protocol through 2022-05-06 allows Cleartext Transmission of Sensitive Information. According to FSCT-2022-0050, there is a Trend Controls Inter-Controller (IC) protocol cleartext transmission of credentials issue. The affected components are characterized as: Inter-Controller (IC) protocol (57612/UDP). The potential impact is: Compromise of credentials. Several Trend Controls building automation controllers utilize the Inter-Controller (IC) protocol in for information exchange and automation purposes. This protocol offers authentication in the form of a 4-digit PIN in order to protect access to sensitive operations like strategy uploads and downloads as well as optional 0-30 character username and password protection for web page access protection. Both the PIN and usernames and passwords are transmitted in cleartext, allowing an attacker with passive interception capabilities to obtain these credentials. Credentials are transmitted in cleartext. An attacker who obtains Trend IC credentials can carry out sensitive engineering actions such as manipulating controller strategy or configuration settings. If the credentials in question are (re)used for other applications, their compromise could potentially facilitate lateral movement. | ||||
| CVE-2023-46889 | 1 Meross | 2 Msh30q, Msh30q Firmware | 2025-06-17 | 5.7 Medium |
| Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. During the device setup phase, the MSH30Q creates an unprotected Wi-Fi access point. In this phase, MSH30Q needs to connect to the Internet through a Wi-Fi router. This is why MSH30Q asks for the Wi-Fi network name (SSID) and the Wi-Fi network password. When the user enters the password, the transmission of the Wi-Fi password and name between the MSH30Q and mobile application is observed in the Wi-Fi network. Although the Wi-Fi password is encrypted, a part of the decryption algorithm is public so we complemented the missing parts to decrypt it. | ||||
| CVE-2025-49183 | 2025-06-13 | 7.5 High | ||
| All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files. | ||||
| CVE-2025-49194 | 2025-06-13 | 7.5 High | ||
| The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to intercept traffic between a client and this server, the credentials would be exposed. | ||||
| CVE-2024-44105 | 1 Ivanti | 2 Automation, Workspace Control | 2025-06-12 | 8.2 High |
| Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to obtain OS credentials. | ||||
| CVE-2025-5270 | 1 Mozilla | 1 Firefox | 2025-06-11 | 7.5 High |
| In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139. | ||||
| CVE-2022-41545 | 1 Netgear | 2 C7800, C7800 Firmware | 2025-06-06 | 6.4 Medium |
| The administrative web interface of a Netgear C7800 Router running firmware version 6.01.07 (and possibly others) authenticates users via basic authentication, with an HTTP header containing a base64 value of the plaintext username and password. Because the web server also does not utilize transport security by default, this renders the administrative credentials vulnerable to eavesdropping by an adversary during every authenticated request made by a client to the router over a WLAN, or a LAN, should the adversary be able to perform a man-in-the-middle attack. | ||||
| CVE-2023-45716 | 1 Hcltech | 1 Sametime | 2025-06-03 | 1.7 Low |
| Sametime is impacted by sensitive information passed in URL. | ||||
| CVE-2024-0056 | 2 Microsoft, Redhat | 21 .net, .net Framework, Microsoft.data.sqlclient and 18 more | 2025-06-03 | 8.7 High |
| Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability | ||||
| CVE-2024-35060 | 1 Nasa | 1 Ait Core | 2025-06-03 | 7.5 High |
| An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file. | ||||
| CVE-2024-35059 | 1 Nasa | 1 Ait Core | 2025-06-03 | 7.5 High |
| An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands. | ||||
| CVE-2024-35058 | 1 Nasa | 1 Ait Core | 2025-06-03 | 7.5 High |
| An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string. | ||||
| CVE-2024-35057 | 1 Nasa | 1 Ait Core | 2025-06-03 | 7.5 High |
| An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet. | ||||
| CVE-2023-50614 | 1 Cdebyte | 2 E880-ir01, E880-ir01 Firmware | 2025-06-02 | 7.5 High |
| An issue discovereed in EBYTE E880-IR01-V1.1 allows an attacker to obtain sensitive information via crafted POST request to /cgi-bin/luci. | ||||
| CVE-2024-50624 | 1 Kde | 1 Kmail | 2025-05-31 | 5.9 Medium |
| ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle attackers to trigger use of an attacker-controlled mail server because cleartext HTTP is used for a URL such as http://autoconfig.example.com or http://example.com/.well-known/autoconfig for retrieving the configuration. This is related to kmail-account-wizard. | ||||
| CVE-2025-40583 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-05-30 | 4.4 Medium |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions with SINEMA Remote Connect Edge Client installed). Affected devices do transmit sensitive information in cleartext. This could allow a privileged local attacker to retrieve this sensitive information. | ||||
| CVE-2022-32857 | 1 Apple | 6 Ipados, Iphone Os, Mac Os X and 3 more | 2025-05-29 | 4.3 Medium |
| This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in macOS Monterey 12.5, macOS Big Sur 11.6.8, Security Update 2022-005 Catalina, iOS 15.6 and iPadOS 15.6, tvOS 15.6, watchOS 8.7. A user in a privileged network position can track a user’s activity. | ||||