VYPR

CWE-319

Cleartext Transmission of Sensitive Information

BaseDraftLikelihood: High

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65

CVEs mapped to this weakness (302)

page 10 of 16
  • CVE-2024-41124MedJul 19, 2024
    risk 0.34cvss 6.3epss 0.00

    Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in…

  • CVE-2024-0066MedJun 18, 2024
    risk 0.34cvss 5.3epss 0.00

    Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. Axis has released patched AXIS OS versions for the…

  • CVE-2017-8154MedApr 11, 2018
    risk 0.34cvss 5.3epss 0.00

    The Themes App Honor 8 Lite Huawei mobile phones with software of versions before Prague-L31C576B172, versions before Prague-L31C530B160, versions before Prague-L31C432B180 has a man-in-the-middle (MITM) vulnerability due to the use of the insecure HTTP protocol for theme…

  • CVE-2007-4786MedSep 10, 2007
    risk 0.34cvss 5.3epss 0.01

    Cisco Adaptive Security Appliance (ASA) running PIX 7.0 before 7.0.7.1, 7.1 before 7.1.2.61, 7.2 before 7.2.2.34, and 8.0 before 8.0.2.11, when AAA is enabled, composes %ASA-5-111008 messages from the "test aaa" command with cleartext passwords and sends them over the network to…

  • CVE-2024-47269MedMay 27, 2026
    risk 0.32cvss 4.9epss 0.00

    Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors.

  • CVE-2026-43625MedJun 1, 2026
    risk 0.31cvss 5.9epss 0.00

    CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network…

  • CVE-2026-41281MedMay 14, 2026
    risk 0.31cvss 4.8epss 0.00

    Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially resulting in…

  • CVE-2026-4873MedMay 13, 2026
    risk 0.31cvss 5.9epss 0.00

    A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS…

  • CVE-2025-59448MedOct 6, 2025
    risk 0.31cvss 4.7epss 0.00

    Components of the YoSmart YoLink ecosystem through 2025-10-02 leverage unencrypted MQTT to communicate over the internet. An attacker with the ability to monitor network traffic could therefore obtain sensitive information or tamper with the traffic to control affected devices.…

  • CVE-2025-43704MedApr 16, 2025
    risk 0.31cvss 4.7epss 0.00

    Arctera/Veritas Data Insight before 7.1.2 can send cleartext credentials when configured to use HTTP Basic Authentication to a Dell Isilon OneFS server.

  • CVE-2018-10634MedAug 13, 2018
    risk 0.31cvss 4.8epss 0.00

    Communications between Medtronic MiniMed MMT pumps and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers.

  • CVE-2017-15042MedOct 5, 2017
    risk 0.31cvss 5.9epss 0.01

    An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this…

  • CVE-2026-40045MedApr 21, 2026
    risk 0.30cvss 5.7epss 0.00

    OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext…

  • CVE-2024-10973MedDec 17, 2024
    risk 0.30cvss 5.7epss 0.00

    A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read…

  • CVE-2025-62311MedMay 14, 2026
    risk 0.28cvss 4.3epss 0.00

    HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels. This may expose sensitive information to potential interception or unauthorized access during transmission under certain conditions

  • CVE-2026-4820MedApr 1, 2026
    risk 0.28cvss 4.3epss 0.00

    IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie…

  • CVE-2024-35495MedSep 30, 2024
    risk 0.28cvss 4.3epss 0.00

    An Information Disclosure vulnerability in the Telemetry component in TP-Link Kasa KP125M V1.0.0 and Tapo P125M 1.0.0 Build 220930 Rel.143947 allows attackers to observe device state via observing network traffic.

  • CVE-2024-8059MedSep 13, 2024
    risk 0.28cvss 4.3epss 0.00

    IPMI credentials may be captured in XCC audit log entries when the account username length is 16 characters.

  • CVE-2018-14627MedSep 4, 2018
    risk 0.28cvss 5.3epss 0.01

    The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config…

  • CVE-2018-11399MedMay 24, 2018
    risk 0.28cvss 4.3epss 0.00

    SimpliSafe Original has Unencrypted Sensor Transmissions, which allows physically proximate attackers to obtain potentially sensitive information about the specific times when alarm-system events occur.