CWE-319
Cleartext Transmission of Sensitive Information
Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65
CVEs mapped to this weakness (302)
page 4 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-24455 | — | Hig | 0.49 | 7.5 | 0.00 | Feb 20, 2026 | The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network. | |
| CVE-2020-36917 | Hig | 0.49 | 7.5 | 0.00 | Jan 6, 2026 | iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords… | ||
| CVE-2020-36914 | Hig | 0.49 | 7.5 | 0.00 | Jan 6, 2026 | QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and… | ||
| CVE-2025-62765 | Hig | 0.49 | 7.5 | 0.00 | Nov 15, 2025 | General Industrial Controls Lynx+ Gateway is vulnerable to a cleartext transmission vulnerability that could allow an attacker to observe network traffic to obtain sensitive information, including plaintext credentials. | ||
| CVE-2025-41718 | — | Hig | 0.49 | 7.5 | 0.00 | Oct 14, 2025 | A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI. | |
| CVE-2025-7731 | Hig | 0.49 | 7.5 | 0.00 | Sep 1, 2025 | Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLMP communication messages, and read or write the device… | ||
| CVE-2025-53703 | Hig | 0.49 | 7.5 | 0.00 | Jul 22, 2025 | DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers. | ||
| CVE-2025-44251 | Hig | 0.49 | 7.5 | 0.00 | Jul 10, 2025 | Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process. | ||
| CVE-2025-5270 | Hig | 0.49 | 7.5 | 0.00 | May 27, 2025 | In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139. | ||
| CVE-2025-27594 | — | Hig | 0.49 | 7.5 | 0.00 | Mar 14, 2025 | The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a… | |
| CVE-2025-1060 | — | Hig | 0.49 | 7.5 | 0.00 | Feb 13, 2025 | CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists that could result in the exposure of data when network traffic is being sniffed by an attacker. | |
| CVE-2024-36558 | Hig | 0.49 | 7.5 | 0.00 | Feb 6, 2025 | Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication. | ||
| CVE-2024-48788 | Hig | 0.49 | 7.5 | 0.01 | Oct 11, 2024 | An issue in YESCAM (com.yescom.YesCam.zwave) 1.0.2 allows a remote attacker to obtain sensitive information via the firmware update process. | ||
| CVE-2024-36426 | Hig | 0.49 | 7.5 | 0.00 | May 27, 2024 | In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session. | ||
| CVE-2023-3272 | Hig | 0.49 | 7.5 | 0.00 | Jul 10, 2023 | Cleartext Transmission of Sensitive Information in the SICK ICR890-4 could allow a remote attacker to gather sensitive information by intercepting network traffic that is not encrypted. | ||
| CVE-2021-22703 | Hig | 0.49 | 7.5 | 0.01 | Feb 19, 2021 | A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious… | ||
| CVE-2021-22702 | Hig | 0.49 | 7.5 | 0.01 | Feb 19, 2021 | A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials… | ||
| CVE-2020-7488 | Hig | 0.49 | 7.5 | 0.01 | Apr 22, 2020 | A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information transmitted between the software and the Modicon M218, M241, M251, and M258 controllers. | ||
| CVE-2018-18071 | Hig | 0.49 | 7.5 | 0.01 | Oct 9, 2018 | An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 for iOS. The encrypted Connected Vehicle API data exchange between the app and a server might be intercepted. The app can be used to operate the Remote Parking Pilot, unlock the vehicle, or obtain sensitive… | ||
| CVE-2018-11338 | Hig | 0.49 | 7.5 | 0.01 | Jul 31, 2018 | Intuit Lacerte 2017 for Windows in a client/server environment transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors.… |
- risk 0.49cvss 7.5epss 0.00
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network.
- risk 0.49cvss 7.5epss 0.00
iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords…
- risk 0.49cvss 7.5epss 0.00
QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and…
- risk 0.49cvss 7.5epss 0.00
General Industrial Controls Lynx+ Gateway is vulnerable to a cleartext transmission vulnerability that could allow an attacker to observe network traffic to obtain sensitive information, including plaintext credentials.
- risk 0.49cvss 7.5epss 0.00
A cleartext transmission of sensitive information vulnerability in the affected products allows an unauthorized remote attacker to gain login credentials and access the Web-UI.
- risk 0.49cvss 7.5epss 0.00
Cleartext Transmission of Sensitive Information vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to obtain credential information by intercepting SLMP communication messages, and read or write the device…
- risk 0.49cvss 7.5epss 0.00
DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers.
- risk 0.49cvss 7.5epss 0.00
Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process.
- risk 0.49cvss 7.5epss 0.00
In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139.
- risk 0.49cvss 7.5epss 0.00
The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a…
- risk 0.49cvss 7.5epss 0.00
CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists that could result in the exposure of data when network traffic is being sniffed by an attacker.
- risk 0.49cvss 7.5epss 0.00
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication.
- risk 0.49cvss 7.5epss 0.01
An issue in YESCAM (com.yescom.YesCam.zwave) 1.0.2 allows a remote attacker to obtain sensitive information via the firmware update process.
- risk 0.49cvss 7.5epss 0.00
In TARGIT Decision Suite 23.2.15007.0 before Autumn 2023, the session token is part of the URL and may be sent in a cleartext HTTP session.
- risk 0.49cvss 7.5epss 0.00
Cleartext Transmission of Sensitive Information in the SICK ICR890-4 could allow a remote attacker to gather sensitive information by intercepting network traffic that is not encrypted.
- risk 0.49cvss 7.5epss 0.01
A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious…
- risk 0.49cvss 7.5epss 0.01
A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials…
- risk 0.49cvss 7.5epss 0.01
A CWE-319: Cleartext Transmission of Sensitive Information vulnerability exists which could leak sensitive information transmitted between the software and the Modicon M218, M241, M251, and M258 controllers.
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in the Daimler Mercedes-Benz Me app 2.11.0-846 for iOS. The encrypted Connected Vehicle API data exchange between the app and a server might be intercepted. The app can be used to operate the Remote Parking Pilot, unlock the vehicle, or obtain sensitive…
- risk 0.49cvss 7.5epss 0.01
Intuit Lacerte 2017 for Windows in a client/server environment transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors.…