| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices export the password for the SMTP account as plain text in the Configuration File. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes. |
| Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint. |
| Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data.This issue affects Senseway: through 09022026.
NOTE: Because the product was developed using outdated technology, the manufacturer is unable to fix the relevant vulnerabilities. Users of the Sensaway application are advised to contact the manufacturer and review updated products developed with newer technology. |
| A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerability by sniffing the plaintext data transmitted between the EDA and AAP. An attacker with system access could exploit this vulnerability by reading the plaintext data stored in EDA and AAP databases. |
| Missing encryption of sensitive data in Korenix JetPort 5601v3 allows Eavesdropping.This issue affects JetPort 5601v3: through 1.2. |
| The HI-SCAN 6040i Hitrax HX-03-19-I was discovered to transmit user credentials in cleartext over the GIOP protocol. This allows attackers to possibly gain access to sensitive information via a man-in-the-middle attack. |
| A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI. |
| An adjacent attacker without authentication can exploit this vulnerability to retrieve a set of user-privileged credentials. These credentials are present during the firmware upgrade procedure. |
| A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
| Cleartext Storage of Sensitive Information (CWE-312) in the Gallagher Morpho integration could allow an authenticated user with access to the Command Centre Server to export a specific signing key while in use allowing them to deploy a compromised or counterfeit device on that site.
This issue affects Command Centre Server: 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior. |
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose
a proprietary protocol on TCP port 1069 to perform management operations
such as modifying system properties. The user management functionality
handles sensitive data such as registered usernames and passwords over
an unencrypted channel, allowing an adjacent attacker to intercept valid
credentials to gain access to the device. |
| A flaw has been found in editso fuso up to 1.0.4-beta.7. This affects the function PenetrateRsaAndAesHandshake of the file src/net/penetrate/handshake/mod.rs. This manipulation of the argument priv_key causes inadequate encryption strength. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. |
| Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2. |
| Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import structures. In environments where this FTP server is part of automated business processes (e.g. EDI or data integration), this could lead to data manipulation, extraction, or abuse. Debug ports 1602, 1603 and 1636 also expose service architecture information and system activity logs |
| General Industrial Controls Lynx+ Gateway is vulnerable to a cleartext transmission vulnerability that could allow
an attacker to observe network traffic to obtain sensitive information,
including plaintext credentials. |
| Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text. |
| Arctera/Veritas Data Insight before 7.1.2 can send cleartext credentials when configured to use HTTP Basic Authentication to a Dell Isilon OneFS server. |
| Due to an unsecure default configuration HTTP is used instead of HTTPS for the web interface. An unauthenticated attacker on the same network could exploit this to learn sensitive data during transmission. |
| A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices store the password for the SMTP account as plain text. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes. |
| A vulnerability has been found in vLLM AIBrix 0.2.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file pkg/plugins/gateway/prefixcacheindexer/hash.go of the component Prefix Caching. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.3.0 is able to address this issue. It is recommended to upgrade the affected component. |
