VYPR

CWE-311

Missing Encryption of Sensitive Data

ClassDraftLikelihood: High

Description

The product does not encrypt sensitive or critical information before storage or transmission.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65

CVEs mapped to this weakness (303)

page 11 of 16
  • CVE-2024-41124MedJul 19, 2024
    risk 0.34cvss 6.3epss 0.00

    Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in…

  • CVE-2023-46219MedDec 12, 2023
    risk 0.34cvss 5.3epss 0.01

    When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

  • CVE-2018-10825MedMay 15, 2018
    risk 0.34cvss 5.3epss 0.00

    Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack.

  • CVE-2024-38283MedJun 13, 2024
    risk 0.33cvss epss 0.00

    Sensitive customer information is stored in the device without encryption.

  • CVE-2025-13453MedJan 14, 2026
    risk 0.30cvss 4.6epss 0.00

    A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive.

  • CVE-2024-7142MedJan 10, 2025
    risk 0.30cvss 4.6epss 0.00

    On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them

  • CVE-2018-8849MedMay 18, 2018
    risk 0.30cvss 4.6epss 0.00

    Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.

  • CVE-2017-14012MedMay 1, 2018
    risk 0.30cvss 4.6epss 0.00

    Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at rest. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

  • CVE-2018-4847MedApr 23, 2018
    risk 0.30cvss 4.6epss 0.00

    A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinCC OA Operator iOS app could allow an attacker with physical access to the…

  • CVE-2017-8769MedMay 18, 2017
    risk 0.30cvss 4.6epss 0.00

    Facebook WhatsApp Messenger before 2.16.323 for Android uses the SD card for cleartext storage of files (Audio, Documents, Images, Video, and Voice Notes) associated with a chat, even after that chat is deleted. There may be users who expect file deletion to occur upon chat…

  • CVE-2017-8168MedNov 22, 2017
    risk 0.28cvss 4.3epss 0.00

    FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R006C10 have an information leak vulnerability. Due to an incorrect configuration item, the information transmitted by a transmission channel is not encrypted. An attacker accessing the internal network may…

  • CVE-2025-8763LowAug 9, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in Ruijie EG306MG 3.0(1)B11P309. It has been rated as problematic. This issue affects some unknown processing of the file /etc/strongswan.conf of the component strongSwan. The manipulation of the argument i_dont_care_about_security_and_use_aggressive_mod…

  • CVE-2018-8864LowMay 25, 2018
    risk 0.20cvss 3.1epss 0.00

    In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.

  • CVE-2025-47274LowMay 12, 2025
    risk 0.09cvss epss 0.00

    ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are…

  • CVE-2025-1243LowFeb 12, 2025
    risk 0.06cvss epss 0.00

    The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response`…

  • CVE-2026-27944Mar 5, 2026
    risk 0.01cvss epss 0.22

    Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an…

  • CVE-2026-55568Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact The built-in cURL handlers (`GuzzleHttp\Handler\CurlHandler` and `GuzzleHttp\Handler\CurlMultiHandler`, used by default whenever the PHP cURL extension is available) accept an `https://` proxy — a proxy reached over a TLS-encrypted connection — through the…

  • CVE-2025-64147Oct 29, 2025
    risk 0.00cvss epss 0.00

    Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-64146Oct 29, 2025
    risk 0.00cvss epss 0.00

    Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2025-64145Oct 29, 2025
    risk 0.00cvss epss 0.00

    Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.