VYPR

CWE-311

Missing Encryption of Sensitive Data

ClassDraftLikelihood: High

Description

The product does not encrypt sensitive or critical information before storage or transmission.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65

CVEs mapped to this weakness (303)

page 1 of 16
  • CVE-2018-17915CriOct 10, 2018
    risk 0.64cvss 9.8epss 0.01

    All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or…

  • CVE-2017-3198CriJul 9, 2018
    risk 0.64cvss 9.8epss 0.02

    GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary modifications to firmware images without being detected.

  • CVE-2018-7498CriMar 28, 2018
    risk 0.64cvss 9.8epss 0.01

    In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.

  • CVE-2017-9632CriAug 7, 2017
    risk 0.64cvss 9.8epss 0.00

    A Missing Encryption of Sensitive Data issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions,…

  • CVE-2017-9854CriAug 5, 2017
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in SMA Solar Technology products. By sniffing for specific packets on the localhost, plaintext passwords can be obtained as they are typed into Sunny Explorer by the user. These passwords can then be used to compromise the overall device. NOTE: the vendor…

  • CVE-2017-7406CriJul 7, 2017
    risk 0.64cvss 9.8epss 0.01

    The D-Link DIR-615 device before v20.12PTb04 doesn't use SSL for any of the authenticated pages. Also, it doesn't allow the user to generate his own SSL Certificate. An attacker can simply monitor network traffic to steal a user's credentials and/or credentials of users being…

  • CVE-2025-36751CriDec 13, 2025
    risk 0.61cvss epss 0.00

    Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint.

  • CVE-2024-29151CriMar 18, 2024
    risk 0.59cvss 9.1epss 0.00

    Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI.

  • CVE-2018-7781HigJul 3, 2018
    risk 0.57cvss 8.8epss 0.01

    In Schneider Electric Pelco Sarix Professional 1st generation cameras with firmware versions prior to 3.29.69, by sending a specially crafted request an authenticated user can view password in clear text and results in privilege escalation.

  • CVE-2017-3219HigJun 21, 2017
    risk 0.57cvss 8.8epss 0.00

    Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash.

  • CVE-2017-3218HigJun 21, 2017
    risk 0.57cvss 8.8epss 0.00

    Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates.

  • CVE-2025-48981HigOct 8, 2025
    risk 0.56cvss 8.6epss 0.00

    An insecure implementation of the proprietary protocol DNET in Product CGM MEDICO allows attackers within the intranet to eavesdrop and manipulate data on the protocol because encryption is optional for this connection.

  • CVE-2017-14852HigJun 3, 2019
    risk 0.56cvss 8.6epss 0.01

    An insecure communication was found between a user and the Orpak SiteOmat management console for all known versions, due to an invalid SSL certificate. The attack allows for an eavesdropper to capture the communication and decrypt the data.

  • CVE-2025-29314HigMar 24, 2025
    risk 0.53cvss 8.1epss 0.00

    Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack.

  • CVE-2017-16040HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if…

  • CVE-2017-16035HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.01

    The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP…

  • CVE-2016-10697HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    react-native-baidu-voice-synthesizer is a baidu voice speech synthesizer for react native. react-native-baidu-voice-synthesizer downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the…

  • CVE-2016-10696HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…

  • CVE-2016-10695HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    The npm-test-sqlite3-trunk module provides asynchronous, non-blocking SQLite3 bindings. npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested…

  • CVE-2016-10694HigJun 4, 2018
    risk 0.53cvss 8.1epss 0.02

    alto-saxophone is a module to install and launch Chromedriver for Mac, Linux or Windows. alto-saxophone versions below 2.25.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out…