VYPR

CWE-311

Missing Encryption of Sensitive Data

ClassDraftLikelihood: High

Description

The product does not encrypt sensitive or critical information before storage or transmission.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65

CVEs mapped to this weakness (303)

page 8 of 16
  • CVE-2017-5251HigFeb 22, 2018
    risk 0.53cvss 8.1epss 0.01

    In version 1012 and prior of Insteon's Insteon Hub, the radio transmissions used for communication between the hub and connected devices are not encrypted.

  • CVE-2018-5261HigFeb 2, 2018
    risk 0.53cvss 8.1epss 0.00

    An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session, the server and client disclose sensitive information, such as the…

  • CVE-2017-6445HigMar 5, 2017
    risk 0.53cvss 8.1epss 0.01

    The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely.

  • CVE-2017-8221HigApr 25, 2017
    risk 0.52cvss 7.5epss 0.03

    Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.

  • CVE-2018-14608HigJul 26, 2018
    risk 0.49cvss 7.5epss 0.01

    Thomson Reuters UltraTax CS 2017 on Windows has a password protection option; however, the level of protection might be inconsistent with some customers' expectations because the data is directly accessible in cleartext. Specifically, it stores customer data in unique…

  • CVE-2018-14607HigJul 26, 2018
    risk 0.49cvss 7.5epss 0.01

    Thomson Reuters UltraTax CS 2017 on Windows, in a client/server configuration, transfers customer records and bank account numbers in cleartext over SMBv2, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM)…

  • CVE-2018-5162HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.02

    Plaintext of decrypted emails can leak through the src attribute of remote images, or links. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

  • CVE-2016-10608HigJun 1, 2018
    risk 0.49cvss 7.5epss 0.02

    robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled…

  • CVE-2016-10598HigJun 1, 2018
    risk 0.49cvss 7.5epss 0.01

    arrayfire-js is a module for ArrayFire for the Node.js platform. arrayfire-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker…

  • CVE-2017-17763HigDec 19, 2017
    risk 0.49cvss 7.5epss 0.01

    SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share feature, does not use HTTPS or any integrity-protection mechanism for file transfer, which makes it easier for remote attackers to send crafted files, as demonstrated by APK injection.

  • CVE-2017-15581HigOct 27, 2017
    risk 0.49cvss 7.5epss 0.01

    In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a personal journal of ... secrets and feelings," which allows remote attackers to…

  • CVE-2017-15609HigOct 19, 2017
    risk 0.49cvss 7.5epss 0.01

    Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.

  • CVE-2017-12817HigAug 25, 2017
    risk 0.49cvss 7.5epss 0.01

    In Kaspersky Internet Security for Android 11.12.4.1622, some of the application trace files were not encrypted.

  • CVE-2017-7729HigJul 11, 2017
    risk 0.49cvss 7.5epss 0.01

    On iSmartAlarm cube devices, there is Incorrect Access Control because a "new key" is transmitted in cleartext.

  • CVE-2017-9604HigJun 13, 2017
    risk 0.49cvss 7.5epss 0.01

    KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the…

  • CVE-2007-4961HigSep 18, 2007
    risk 0.49cvss 7.5epss 0.01

    The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd field, which allows remote attackers to login to an account by sniffing the…

  • CVE-2016-10552HigMay 31, 2018
    risk 0.48cvss 7.4epss 0.01

    igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over insecure protocol.

  • CVE-2017-15397HigFeb 7, 2018
    risk 0.48cvss 7.4epss 0.00

    Inappropriate implementation in ChromeVox in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker in a privileged network position to observe or tamper with certain cleartext HTTP requests by leveraging that position.

  • CVE-2025-48862HigAug 14, 2025
    risk 0.46cvss 7.1epss 0.00

    Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains…

  • CVE-2024-7396HigAug 5, 2024
    risk 0.46cvss epss 0.00

    Missing encryption of sensitive data in Korenix JetPort 5601v3 allows Eavesdropping.This issue affects JetPort 5601v3: through 1.2.