Search Results (4416 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-9346 1 Moxa 6 Miineport E1, Miineport E1 Firmware, Miineport E2 and 3 more 2025-04-20 N/A
An issue was discovered in Moxa MiiNePort E1 versions prior to 1.8, E2 versions prior to 1.4, and E3 versions prior to 1.1. Configuration data are stored in a file that is not encrypted.
CVE-2017-15290 1 Mirasys 1 Video Management System 2025-04-20 N/A
Mirasys Video Management System (VMS) 6.x before 6.4.6, 7.x before 7.5.15, and 8.x before 8.1.1 has a login process in which cleartext data is sent from a server to a client, and not all of this data is required for the client functionality.
CVE-2016-10137 1 Adups 1 Adups Fota 2025-04-20 N/A
An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete the user's sent and received text messages and call log. This allows a third-party app to obtain PII from the user without permission to do so.
CVE-2016-10138 1 Adups 1 Adups Fota 2025-04-20 N/A
An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. The app has an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver which any app on the device can interact with. Therefore, any app can send a command embedded in an intent which will be executed by the WriteCommandReceiver component which is executing as the system user. The third-party app, utilizing the WriteCommandReceiver, can perform the following actions: call a phone number, factory reset the device, take pictures of the screen, record the screen in a video, install applications, inject events, obtain the Android log, and others. In addition, the com.adups.fota.sysoper.TaskService component will make a request to a URL of http://rebootv5.adsunflower.com/ps/fetch.do where the commands in the String array with a key of sf in the JSON Object sent back by the server will be executed as the system user. Since the connection is made via HTTP, it is vulnerable to a MITM attack.
CVE-2016-10139 1 Adups 1 Adups Fota 2025-04-20 N/A
An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The two package names involved in the exfiltration are com.adups.fota and com.adups.fota.sysoper. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. Therefore, the app executing as the system user has been granted a number of powerful permissions even though they are not present in the com.adups.fota.sysoper app's AndroidManifest.xml file. This app provides the com.adups.fota app access to the user's call log, text messages, and various device identifiers through the com.adups.fota.sysoper.provider.InfoProvider component. The com.adups.fota app uses timestamps when it runs and is eligible to exfiltrate the user's PII every 72 hours. If 72 hours have passed since the value of the timestamp, then the exfiltration will be triggered by the user plugging in the device to charge or when they leave or enter a wireless network. The exfiltration occurs in the background without any user interaction.
CVE-2017-8221 1 Wificam 2 Wireless Ip Camera \(p2p\), Wireless Ip Camera \(p2p\) Firmware 2025-04-20 N/A
Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2017-6297 1 Mikrotik 1 Routeros 2025-04-20 N/A
The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not enable IPsec encryption after a reboot, which allows man-in-the-middle attackers to view transmitted data unencrypted and gain access to networks on the L2TP server by monitoring the packets for the transmitted data and obtaining the L2TP secret.
CVE-2017-8168 1 Huawei 1 Fusionsphere Openstack 2025-04-20 N/A
FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R006C10 have an information leak vulnerability. Due to an incorrect configuration item, the information transmitted by a transmission channel is not encrypted. An attacker accessing the internal network may obtain sensitive information transmitted.
CVE-2023-34829 1 Tp-link 1 Tapo 2025-04-17 6.5 Medium
Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.
CVE-2023-31300 1 Sesami 1 Cash Point \& Transport Optimizer 2025-04-17 7.5 High
An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via transmission of unencrypted, cleartext credentials during Password Reset feature.
CVE-2020-4497 1 Ibm 1 Spectrum Protect Plus 2025-04-17 6.8 Medium
IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques. IBM X-Force ID: 182106.
CVE-2020-14480 1 Rockwellautomation 1 Factorytalk View 2025-04-17 5.5 Medium
Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials.
CVE-2024-40582 1 Pentaminds 1 Curovms 2025-04-17 7.5 High
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed sensitive information.
CVE-2022-42454 1 Hcltechsw 1 Bigfix Insights For Vulnerability Remediation 2025-04-16 6.4 Medium
Insights for Vulnerability Remediation (IVR) is vulnerable to man-in-the-middle attacks that may lead to information disclosure.  This requires privileged network access.
CVE-2022-21798 1 Ge 1 Cimplicity 2025-04-16 7.5 High
The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system.
CVE-2020-25178 3 Rockwellautomation, Schneider-electric, Xylem 31 Aadvance Controller, Isagraf Free Runtime, Isagraf Runtime and 28 more 2025-04-16 7.5 High
ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP. This communication protocol provides various file system operations, as well as the uploading of applications. Data is transferred over this protocol unencrypted, which could allow a remote unauthenticated attacker to upload, read, and delete files.
CVE-2022-0835 1 Aveva 1 System Platform 2025-04-16 8.1 High
AVEVA System Platform 2020 stores sensitive information in cleartext, which may allow access to an attacker or a low-privileged user.
CVE-2022-1524 1 Illumina 8 Iseq 100, Local Run Manager, Miniseq and 5 more 2025-04-16 7.4 High
LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials.
CVE-2022-2003 1 Automationdirect 18 D0-06aa, D0-06aa Firmware, D0-06ar and 15 more 2025-04-16 7.7 High
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;
CVE-2022-2485 1 Automationdirect 20 Sio-mb04ads, Sio-mb04ads Firmware, Sio-mb04das and 17 more 2025-04-16 9.6 Critical
Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its password in the communication packets.