CWE-311
Missing Encryption of Sensitive Data
Description
The product does not encrypt sensitive or critical information before storage or transmission.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65
CVEs mapped to this weakness (303)
page 8 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5251 | Hig | 0.53 | 8.1 | 0.01 | Feb 22, 2018 | In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted. | ||
| CVE-2018-5261 | Hig | 0.53 | 8.1 | 0.00 | Feb 2, 2018 | An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session, the server and client disclose sensitive information, such as the… | ||
| CVE-2017-6445 | Hig | 0.53 | 8.1 | 0.01 | Mar 5, 2017 | The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely. | ||
| CVE-2017-8221 | Hig | 0.52 | 7.5 | 0.03 | Apr 25, 2017 | Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network. | ||
| CVE-2018-14608 | Hig | 0.49 | 7.5 | 0.01 | Jul 26, 2018 | Thomson Reuters UltraTax CS 2017 on Windows has a password protection option; however, the level of protection might be inconsistent with some customers' expectations because the data is directly accessible in cleartext. Specifically, it stores customer data in unique… | ||
| CVE-2018-14607 | Hig | 0.49 | 7.5 | 0.01 | Jul 26, 2018 | Thomson Reuters UltraTax CS 2017 on Windows, in a client/server configuration, transfers customer records and bank account numbers in cleartext over SMBv2, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM)… | ||
| CVE-2018-5162 | Hig | 0.49 | 7.5 | 0.02 | Jun 11, 2018 | Plaintext of decrypted emails can leak through the src attribute of remote images, or links. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8. | ||
| CVE-2016-10608 | Hig | 0.49 | 7.5 | 0.02 | Jun 1, 2018 | robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled… | ||
| CVE-2016-10598 | — | Hig | 0.49 | 7.5 | 0.01 | Jun 1, 2018 | arrayfire-js is a module for ArrayFire for the Node.js platform. arrayfire-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker… | |
| CVE-2017-17763 | Hig | 0.49 | 7.5 | 0.01 | Dec 19, 2017 | SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share feature, does not use HTTPS or any integrity-protection mechanism for file transfer, which makes it easier for remote attackers to send crafted files, as demonstrated by APK injection. | ||
| CVE-2017-15581 | Hig | 0.49 | 7.5 | 0.01 | Oct 27, 2017 | In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of ... secrets and feelings," which allows remote attackers to… | ||
| CVE-2017-15609 | Hig | 0.49 | 7.5 | 0.01 | Oct 19, 2017 | Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets. | ||
| CVE-2017-12817 | Hig | 0.49 | 7.5 | 0.01 | Aug 25, 2017 | In Kaspersky Internet Security for Android 11.12.4.1622, some of the application trace files were not encrypted. | ||
| CVE-2017-7729 | Hig | 0.49 | 7.5 | 0.01 | Jul 11, 2017 | On iSmartAlarm cube devices, there is Incorrect Access Control because a "new key" is transmitted in cleartext. | ||
| CVE-2017-9604 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2017 | KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the… | ||
| CVE-2007-4961 | Hig | 0.49 | 7.5 | 0.01 | Sep 18, 2007 | The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd field, which allows remote attackers to login to an account by sniffing the… | ||
| CVE-2016-10552 | — | Hig | 0.48 | 7.4 | 0.01 | May 31, 2018 | igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over insecure protocol. | |
| CVE-2017-15397 | Hig | 0.48 | 7.4 | 0.00 | Feb 7, 2018 | Inappropriate implementation in ChromeVox in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker in a privileged network position to observe or tamper with certain cleartext HTTP requests by leveraging that position. | ||
| CVE-2025-48862 | Hig | 0.46 | 7.1 | 0.00 | Aug 14, 2025 | Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains… | ||
| CVE-2024-7396 | Hig | 0.46 | — | 0.00 | Aug 5, 2024 | Missing encryption of sensitive data in Korenix JetPort 5601v3 allows Eavesdropping.This issue affects JetPort 5601v3: through 1.2. |
- risk 0.53cvss 8.1epss 0.01
In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted.
- risk 0.53cvss 8.1epss 0.00
An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session, the server and client disclose sensitive information, such as the…
- risk 0.53cvss 8.1epss 0.01
The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely.
- risk 0.52cvss 7.5epss 0.03
Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.
- risk 0.49cvss 7.5epss 0.01
Thomson Reuters UltraTax CS 2017 on Windows has a password protection option; however, the level of protection might be inconsistent with some customers' expectations because the data is directly accessible in cleartext. Specifically, it stores customer data in unique…
- risk 0.49cvss 7.5epss 0.01
Thomson Reuters UltraTax CS 2017 on Windows, in a client/server configuration, transfers customer records and bank account numbers in cleartext over SMBv2, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM)…
- risk 0.49cvss 7.5epss 0.02
Plaintext of decrypted emails can leak through the src attribute of remote images, or links. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.
- risk 0.49cvss 7.5epss 0.02
robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…
- risk 0.49cvss 7.5epss 0.01
arrayfire-js is a module for ArrayFire for the Node.js platform. arrayfire-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…
- risk 0.49cvss 7.5epss 0.01
SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share feature, does not use HTTPS or any integrity-protection mechanism for file transfer, which makes it easier for remote attackers to send crafted files, as demonstrated by APK injection.
- risk 0.49cvss 7.5epss 0.01
In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of ... secrets and feelings," which allows remote attackers to…
- risk 0.49cvss 7.5epss 0.01
Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.
- risk 0.49cvss 7.5epss 0.01
In Kaspersky Internet Security for Android 11.12.4.1622, some of the application trace files were not encrypted.
- risk 0.49cvss 7.5epss 0.01
On iSmartAlarm cube devices, there is Incorrect Access Control because a "new key" is transmitted in cleartext.
- risk 0.49cvss 7.5epss 0.01
KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the…
- risk 0.49cvss 7.5epss 0.01
The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd field, which allows remote attackers to login to an account by sniffing the…
- risk 0.48cvss 7.4epss 0.01
igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over insecure protocol.
- risk 0.48cvss 7.4epss 0.00
Inappropriate implementation in ChromeVox in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker in a privileged network position to observe or tamper with certain cleartext HTTP requests by leveraging that position.
- risk 0.46cvss 7.1epss 0.00
Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains…
- risk 0.46cvss —epss 0.00
Missing encryption of sensitive data in Korenix JetPort 5601v3 allows Eavesdropping.This issue affects JetPort 5601v3: through 1.2.